|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Pros and cons of key-pair based vs password based SSH...
|
Fred Stluka wrote:
> For the ability to ssh from any client machine, without having
> to carry my key-pair file on a USB drive or something, is it
> reasonable to just change the server's config file to say:
> PasswordAuthentication yes
>
> Or is there a more secure way to get this convenience?
>
I've been lurking on this list for a few weeks now and haven't gotten to
attend a meeting yet, but I couldn't pass up the chance to respond to
this one.
The only risk to allowing password authentication is the possibility
that somebody might guess your password. Scripts that automatically add
IPs to hosts.deny are one way to reduce the risk there.
The other thing I do is to modify my pam config for ssh to only allow
particular accounts to log in - that way I don't have to worry about
some account on my system that I might not even use having a weak
password. A line like this will do the trick:
auth required pam_listfile.so onerr=fail item=user
sense=allow file=/etc/ssh/ssh_allow.pamlist
Your distro may also have a pam config file that will apply to any
remote login attempt and this would be a good place to put this to cover
all your bases.
Another approach you could use is to use something like skey which is a
one-time password generator. If you're really paranoid this will allow
you to log in using a password from a system that contains a keylogger
without being compromised. I used to use this from university computer
labs - I'd print out a list of 100 passwords and keep it on me - then I
could log in securely at any time (of course, guard your password list!)
- a password is only good for a single login.
I tend to only connect from trusted computers these days so I just use
password-based logins most of the time. In my situation I suspect that
the keyfile is more likely to be compromised than my password. Of
course, you could protect your keyfile with a password, but that offers
the inconveniences of both approaches. An ssh password agent is a way
to mitigate this somewhat.
Allowing password logins does not prevent you from also logging in with
a key.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|