hi All:
On 03/25/2016 11:23 PM, Anthony Carrico wrote: >> I had a question about ssh passphrases. How many people use them for >> ssh? Is it a Bad Idea not to use them? *If* I said I didn't use them, >> would a collective gasp be heard across VAGUE land? No worries, and thanks for asking! Being in VAGUE land does not automatically imply strong knowledge of X. We are all experts in some things, not all things. It is all about sharing what we know. > Unfortunately, user applications typically aren't sandboxed in Linux > distributions (Brian Waters, any info on this?), so they can use your > key once your agent has the password, but at least if they snatch the > key they'll need the password to use it elsewhere/elsewhen. GNU/Linux does have "good" ASLR, not enough to stop all forms of Return Oriented Programming, but quite a few are thwarted with ASLR. If you want Mandatory Access Control, investigate SELinux, AppArmor, etc... *I* strongly advise the use of passphrases, ssh-add, ssh-agent, and friends. If you want a power-tool here, check out what monkeysphere http://web.monkeysphere.info/ can do for you, some VERY cool actions. > One application for a passwordless key is using ssh keys in an > unattended system, for example a backup server. In that case only the > backup service user should be able to see the private key on the server, > and the client can increase security somewhat with from="..." in its > authorized_keys file, see man sshd. Agreed. I also encourage restricting what hosts are allowed for what user. Also remember that hosts.{allow,deny} and fail2ban are useful here, as well as monkeysphere. In the case of monkeysphere, you can, for example, permit a new user access to your ssh setup by key authentication using monkeysphere. A very handy feature for remote/distributed setups--- a GPG key is required of course... >> If the weakness of the public/private key pair is the danger that >> someone gets access to your file system and copies your private key, is >> it recommended practice that the passphrase *not* be in a file somewhere? If by "in a file" you mean in a plaintext file, yes, I avoid placing plaintext keys on systems. FWIW: ssh keys encrypt the passphrase with the key. > If you put it in a file, use your PGP key to encrypt the file. > >> Can anyone point to best practices for choosing ssh passphrases? I think >> it needs to be long, easily memorable and highly entropic which all seem >> contradictory. There are many sources of advice on passwords, some good, some not so good. With the addition of entropy in the form of numbers, [upper::lower] letters, and punctuation, the XKCD method is a good approach for improving password retention. https://xkcd.com/936/ That said, I strongly encourage the use of a password manager. <opinion> *I* prefer one written in a language that does not require an interpreter (ie: Mono/.NET), one that is cross-platform, and one that stores data locally only. Forward secrecy is nice too. </opinion> The advantage of a password manager is that you can now have one passphrase open your encrypted password database. Individual sites and user accounts may now use passwords of arbitrary length filled with CSPRNG data. The closer a password is to a long string of totally random data, the stronger it is against modern attacks. See: https://en.wikipedia.org/wiki/List_of_password_managers Thanks have a nice day.yad jdpf
signature.asc
Description: OpenPGP digital signature
