Mm Bsd <mmbsd1...@yahoo.com> wrote: > Let's say I'd like to add a small amount of extra security to my > SSH login process. > > Let's say I decide the way I want to do this is by requiring > BOTH a password and an RSA key ... So to log in, I would be > required to enter a normal unix password, but I would ALSO be > required to hold a proper RSA public key. > > My question is this: > > In terms of security (and correctness ?) what's the difference > between this (unix password + SSH RSA key) and simply generating > my RSA key *with* a password ? Both ways require me to "have > something" and "know something", but they are obviously different, > technically.
Suppose you are a bank branch manager, and consider your RSA key as the combination to the vault. (Also suppose that you are the only person authorized to open the vault, and that the combination is complicated enough that you can't just remember it -- it has to be written down.) Normal file security (chmod 400) is like storing the paper, on which the combination is written, inside your locked (personal) office. Someone other than you, e.g. the janitor, may have a key to your office. Protecting the RSA key with a password is like locking the paper in your desk (which is in your locked office). Only you have a key to the desk. Requiring a login password in addition to the RSA key is like adding a second, interior door -- to which you have the only key -- to the vault. That second door is nowhere near as strong as the main vault door, but it does provide some additional protection. There's no reason in principle why you can't protect your RSA key with a password, and also require a (different) password for login in addidion to the RSA key. _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"