> I had a question about ssh passphrases. How many people use them for > ssh? Is it a Bad Idea not to use them? *If* I said I didn't use them, > would a collective gasp be heard across VAGUE land?
Unfortunately, user applications typically aren't sandboxed in Linux distributions (Brian Waters, any info on this?), so they can use your key once your agent has the password, but at least if they snatch the key they'll need the password to use it elsewhere/elsewhen. One application for a passwordless key is using ssh keys in an unattended system, for example a backup server. In that case only the backup service user should be able to see the private key on the server, and the client can increase security somewhat with from="..." in its authorized_keys file, see man sshd. > If the weakness of the public/private key pair is the danger that > someone gets access to your file system and copies your private key, is > it recommended practice that the passphrase *not* be in a file somewhere? If you put it in a file, use your PGP key to encrypt the file. > Can anyone point to best practices for choosing ssh passphrases? I think > it needs to be long, easily memorable and highly entropic which all seem > contradictory. -- Anthony Carrico
signature.asc
Description: OpenPGP digital signature
