Re: Does Public Key Authentication offer additional security over SSH/SFTP

Chuck <skilover_nospam@xxxxxxxxxxxxxx> writes:

Marty W wrote:
Hi guys,

I've got a fairly newbie (but hopefully quick) question.
So I've set up a public/private key pair on my Unix boxes for
authentication for my SSH/SFTP connections so I don't have to provide
my password.

Does setting this up provide an extra layer of security (ie additional
encryption) ?

No. It is a way of authenticating. Ie, computer B has computer A's public
key, then when computer A tries to log on, computer B can check to make
sure that A"s private key was used.



Cheers
Capt. Wing


The security is only as good as the strength of the passphrase on the
private key. If you've left it unencrypted (no passphrase), you actually

Authentication, not security.

made it much easier for an attacker to get into your servers. They just


need to steal a copy of the key and they will never need anything else.
With a weak password, it's subject to dictionary attacks, but they would
still need to get a copy of the key file. The bottom line is protect the
private key file itself by making it as inaccessible as possible to
anyone but you, and then have it encrypted with a strong passphrase.

And even better, never log onto any other computer-- then you do not need
any authentication.

If they can get a copy of your key file, they eitehr either root on your
system ( and thus can read your password anyway when you type it in) or are
logged in as you ( in which case they can read your password when you type
it in).

.

Relevant Pages

  • Does Public Key Authentication offer additional security over SSH/SFTP
    ... So I've set up a public/private key pair on my Unix boxes for ... authentication for my SSH/SFTP connections so I don't have to provide ...
    (comp.security.ssh)
  • Re: public key vs passwd authentication?
    ... Thus PKI authentication = ... > password authentication. ... a password used to unlock a private key (although doesn't necessarily ... lots of identity theft references ... ...
    (comp.security.ssh)
  • Re: PKI: the end
    ... in an asymmetric cryptography key is a business process specification. ... authentication (i.e. some entity uniquely is in possession of the ... privacy and confidentiality of a private key may be technology. ... A relying party might also be told that they could assume that as part ...
    (sci.crypt)
  • Re: Basic question about RSA
    ... Or am I just being slow on the uptake? ... I did understand at the time, that this is *not* how digital signatures ... provide authentication". ... "It's impossible to encrypt a message using an RSA private key and so ...
    (sci.crypt)
  • Re: Basic question about RSA
    ... elevated at to achieve the longest range, ... method of authentication, which you stated in your orginal post, ... (Alice encrypts with her private key, ...
    (sci.crypt)