Re: Whats the difference between password+RSA, and password-protected RSA ?
In the case of a passphrase-protected RSA key, the server knowsnothing about it, so you would never be able to enforce that. It's onthe client side that the key is decrypted with the passphrase beforesubmitting it to the server. Patrick On Mon, Nov 21, 2011 at 1:19 PM, Mm Bsd mmbsd1...@yahoo.com wrote: Let's say I'd like to add a small amount of extra security to my SSH login process. Let's say I decide the way I want to do this is by requiring BOTH a password and an RSA key. There appear to be patches, or procedures, that allow me to do this. So to log in, I would be required to enter a normal unix password, but I would ALSO be required to hold a proper RSA public key. My question is this: In terms of security (and correctness ?) what's the difference between this (unix password + SSH RSA key) and simply generating my RSA key *with* a password ? Both ways require me to have something and know something, but they are obviously different, technically. Comments on the difference, and relative security of the two methods ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Whats the difference between password+RSA, and password-protected RSA ?
Mm Bsd mmbsd1...@yahoo.com wrote: Let's say I'd like to add a small amount of extra security to my SSH login process. Let's say I decide the way I want to do this is by requiring BOTH a password and an RSA key ... So to log in, I would be required to enter a normal unix password, but I would ALSO be required to hold a proper RSA public key. My question is this: In terms of security (and correctness ?) what's the difference between this (unix password + SSH RSA key) and simply generating my RSA key *with* a password ? Both ways require me to have something and know something, but they are obviously different, technically. Suppose you are a bank branch manager, and consider your RSA key as the combination to the vault. (Also suppose that you are the only person authorized to open the vault, and that the combination is complicated enough that you can't just remember it -- it has to be written down.) Normal file security (chmod 400) is like storing the paper, on which the combination is written, inside your locked (personal) office. Someone other than you, e.g. the janitor, may have a key to your office. Protecting the RSA key with a password is like locking the paper in your desk (which is in your locked office). Only you have a key to the desk. Requiring a login password in addition to the RSA key is like adding a second, interior door -- to which you have the only key -- to the vault. That second door is nowhere near as strong as the main vault door, but it does provide some additional protection. There's no reason in principle why you can't protect your RSA key with a password, and also require a (different) password for login in addidion to the RSA key. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
