Richard Freeman on 10 Jun 2009 17:42:52 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Pros and cons of key-pair based vs password based SSH...

Fred Stluka wrote:
> For the ability to ssh from any client machine, without having
> to carry my key-pair file on a USB drive or something, is it
> reasonable to just change the server's config file to say:
>     PasswordAuthentication yes
> Or is there a more secure way to get this convenience?

I've been lurking on this list for a few weeks now and haven't gotten to 
attend a meeting yet, but I couldn't pass up the chance to respond to 
this one.

The only risk to allowing password authentication is the possibility 
that somebody might guess your password.  Scripts that automatically add 
IPs to hosts.deny are one way to reduce the risk there.

The other thing I do is to modify my pam config for ssh to only allow 
particular accounts to log in - that way I don't have to worry about 
some account on my system that I might not even use having a weak 
password.  A line like this will do the trick:

auth            required onerr=fail item=user 
sense=allow file=/etc/ssh/ssh_allow.pamlist

Your distro may also have a pam config file that will apply to any 
remote login attempt and this would be a good place to put this to cover 
all your bases.

Another approach you could use is to use something like skey which is a 
one-time password generator.  If you're really paranoid this will allow 
you to log in using a password from a system that contains a keylogger 
without being compromised.  I used to use this from university computer 
labs - I'd print out a list of 100 passwords and keep it on me - then I 
could log in securely at any time (of course, guard your password list!) 
- a password is only good for a single login.

I tend to only connect from trusted computers these days so I just use 
password-based logins most of the time.  In my situation I suspect that 
the keyfile is more likely to be compromised than my password.  Of 
course, you could protect your keyfile with a password, but that offers 
the inconveniences of both approaches.  An ssh password agent is a way 
to mitigate this somewhat.

Allowing password logins does not prevent you from also logging in with 
a key.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --