WingNews logo WingNews
top | item 4689474

(no title)

maximilian | 13 years ago

Can anyone comment on why password-less ssh-keys are bad? ("#11: Never ever use passphrase free key (passphrase key less) login.")

I usually figure that it just generates some random number based on the time + salt and that is more secure (brute-force attack-wise) than any silly password I could come up with myself.

discuss

order

dkokelley|13 years ago

The password is not what is used to authenticate to the ssh remote. The ssh private key is still used, it's just locked on the client side. You unlock the private key with the passphrase, and then use the unlocked (unencrypted) key to authenticate to the remote.

By using a password-free key, your private key is sitting in plain text on your local machine, which is a potential security risk.

(Apologies is your question is more nuanced than my understanding.)

maximilian|13 years ago

So, the private key is encrypted on the client side, which requires that the user type their key-password in, so that the client can send the private key in order to authenticate?

I generally use ssh keys so that I dont have to type my password in 50 times a day. Can this be done with a key-password, or does this defeat the entire purpose of having a key-password?

cnvogel|13 years ago

Besides the reference made by "wiredfool" about ssh-agent further down (which remembers the decrypted keys once you've entered the corresponding password so that other ssh sessions can use them without bothering you again, and: this connection can also be forwarded through consecutive ssh-sessions!)...

- You can mitigate the danger arising from unencrypted ssh-keys laying around by either generating special-purpose users for a certain task, or...

- you can set restrictions on what a certain ssh-key is allowed on the target host. This is described in the sshd(8) manual page, section "AUTHORIZED_KEYS FILE FORMAT".

Of course the other remedy against having to type passwords repeatedly is to use the pretty "ControlMaster" feature: The 2nd and following ssh-session re-uses the already authenticated channel of the first ssh connection. (ssh_config(5) manual page, section on ControlMaster).

dredmorbius|13 years ago

That key by itself becomes a valid access token.

If someone snarfs your key from local storage, they are you. They don't need a 2nd secret (the passphrase) to unlock the key.

If you use methods such as ssh-agent, you get all the convenience of a passwordless key (save the entering the passphrase into the agent) without the security risks.

You may find it necessary to use passwordless keys for some server processes, say, Nagios authentication or running remote jobs between servers. So long as you isolate these keys, restrict access to known hosts / IP ranges, etc., you're fairly well covered. Forced commands are another option to reduce the risk of such keys, though these aren't always appropriate.

leejoramo|13 years ago

If you don't use passwords on your keys, then any one who can access the key files on your local system, could access the remote server. Not using passwords removes an important layer of security.

That said, often you need to have password-less keys in order for systems to automatically communicate. For example, I setup backup servers without passwords.