Your paranoia is misplaced. 3DES is used to protect the private key when
it's on disk. As long as you use a good passphrase, these keys will be
well protected. There's no snake oil here - the version of OpenSSH
running on linux derives from the version running on OpenBSD and them
folk are considered some of the most security conscious people in
existence!
Your security will depend on a good passphrase at the end of the day.
The man page for ssh-keygen recommend:
"Good passphrases are 10-30 characters long, are not
simple sen- tences or otherwise easily guessable (English
prose has only 1-2 bits of entropy per character, and
provides very bad passphrases), and contain a mix of
upper and lowercase letters, numbers, and non-alphanumeric
characters."
On Wed, Aug 23, 2006 at 12:55:17PM +0100, Aine Douglas wrote:
> On 8/23/06, Ewan Oughton <ewan at skynet.ie> wrote:
> >ssh keys can be setup that you need a password in order to use the key:
>> Got a couple of offlist hits to that effect too... will check it out
> to see what it actually does. I'm rather wary of just "passwords",
> maybe it comes from what I know in the windows world, dummy passwords
> protecting unprotected secrets. Nothing worse than snake oil.
>> I'm really interested in trying out Colm's portknocking idea... that
> has huge possibilities.
>> Thanks all,
>> Aine.
>> >[ewan at fiend ~]$ ssh ewan at beast.scrapping.cc> >Warning: Permanently added the RSA host key for IP address
> >'194.125.79.120' to the list of known hosts.
> >***************The Beast***************
> >* *
> >* Password-based logins disabled. *
> >* *
> >***************************************
> >
> >Enter passphrase for key '/home/ewan/.ssh/id_dsa':
> >Last login: Tue Aug 22 15:07:40 2006 from blueice2n1.uk.ibm.com
> >ewan at beast:~$
> >
> >
> >ssh-keygen (IME) asks for a passphrase by default when generating a key.
> >
> >
> >My ssh-foo is relatively weak, so forgive me if this is not what you're
> >looking for.
> >
> >
> >
> >Ewan
> >
> >
> >Ewan Oughton B.Sc. Comp Sys
> >DB / AnonFTP / Orac Root Admin SkyNet
> >
> >
> >On Wed, 23 Aug 2006, Aine Douglas wrote:
> >
> >> Hi Guys,
> >>
> >> I'm getting sick of seeing log entries for SSH dictionary attacks, the
> >> latest coming in the middle of me watching a live log while trying to
> >> solve a problem.
> >>
> >> I'd like to switch off password access and only allow private key
> >> access, but personally I have a problem with storing raw private keys
> >> on memory sticks, or machine hardrives, I feel its lower security than
> >> a memorised password.
> >>
> >> Does anyone know if there is a SSH client which can work with
> >> something like a PKCS12 private keystore where a password is needed to
> >> unlock the private key thus allowing the private key to be stored on
> >> insecure devices such as client pc's and memory sticks?
> >>
> >> I know there's PKCS11 for smartcard readers and the like, but thats a
> >> little extravagant for my needs.
> >>
> >> Aine.
> >> --
> >> Irish Linux Users' Group mailing list
> >> About this list : http://mail.linux.ie/mailman/listinfo/ilug> >> Who we are : http://www.linux.ie/> >> Where we are : http://www.linux.ie/map/> >>
> >
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
