[Ach] Fwd: SSH Pubkey authentication?

David Durvaux david.durvaux at gmail.com
Mon Jan 6 21:18:54 CET 2014 

Hello,

I agree with Aaron.  Password authentication permit open the risk to brute
force.
Key authentication could be difficult to handle.

If a good password policy is in place (long and difficult passwords), it's
reasonable to state that password authentication is safe.

The problem is the usual one: the human.  But somehow, risk is the same
with private keys and passwords.  If not kept secure, you are at risk ;-).

(My personal preference is to forbid password and rely on well protected
private key ;-)).

Kr,

David


2014/1/6 Peter van Dijk <peter at 7bits.nl>

> Hi Lorenz,
>
> as a point of interest, please realise that an administrator has no way to
> enforce pass phrases on private keys!
>
> Cheers, Peter
>
> On 06 Jan 2014, at 18:02 , Lorenz Intichar <lorenz at intichar.at> wrote:
>
> > Hi Aaron,
> >
> > just as a matter of interest: What security-wise disadvantages do you see
> > in ssh pubkey authentication, especially with a private key password set?
> >
> > A big advantage is (of course) that password-guessing is impossible with
> > just pubkey, a disadvantage is that the right private key has to present
> > wherever the operator is, possibly on unsafe devices like smartphones.
> But
> > that issue is (hopefully) sufficiently addressed by password-protecting
> > the private key?
> >
> > Best regards,
> > Lorenz
> >
> >
> >> Hi,
> >>
> >> Axel Hübl wrote:
> >>> Hi Lorenz,
> >>>
> >>> I think promoting
> >>>> PasswordAuthentication no
> >>>
> >>> is a good thing and worth to be added, too.
> >> I disagree. That's for administrators to decide if they want to use
> >> public key authentication or password auth. Both have advantages and
> >> disadvantages (security-wise and operational).
> >>
> >> Aaron
> >>
> >> _______________________________________________
> >> Ach mailing list
> >> Ach at lists.cert.at
> >> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> >>
> >
> >
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>


-- 
David DURVAUX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140106/12f84498/attachment.html>

More information about the Ach mailing list