Is ssh keys authentication more secure than password authentication?
hello,
I am thinking of doing ssh tunneling to my home computer when I am outside. I sort of read that ssh keys authentication is more secure than password authentication. Thus far I've always use password authentication. I want to try something new and need your personal experience of should I continue with password or go with keys. PS: If I decide to go with keys should I disable password authentication from /etc/ssh/sshd_config? Thanks for any feedback |
IMHO, it is definitely preferable to set up sshd to accept only keys-based authentication.
And, yes, this means that you must disable password authentication, because (quite annoyingly...) sshd seems positively eager to accept the least secure form of authentication that it can find. The obvious advantage of "a key" is that you either have it or you don't. Anyone on earth can "know the magic word," but not so many people can be in possession of a unique, revocable, and non-forgeable key. A clear advantage of keys, like that of the electronic identification badges that you probably use at your place of work, is that they can be individually issued, and therefore, individually revoked. If someone steals a copy of a badge, that badge can be deactivated without preventing any other badge-holder from entering the building. Also, it simply isn't feasible for anyone to create a forged copy of that badge. If you want to impose a "password" restriction, simply encrypt the badge. Now, only a person who knows the proper password can use the badge. But if the badge, itself is ever stolen or compromised, the badge can be selectively invalidated, no matter what the password(s) used to safeguard its contents might have been. |
thanks sundialsvcs for your input.
BTW, do I need to keep both id_rsa id_rsa.pub in the .ssh/ folder? if unsure, then I leave them there. |
Transfer the public key to the server. Keep the private key with the client. It is safe to leave the public key with the client also. BTW, the public key is exactly that, public, and it is safe to give this key out. In the case of SSH, there is little need, but if you were to use keys for other purposes such as encrypted email you should keep this in mind.
Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that). |
No, the id_rsa.pub you can delete on your local machine. In case you need it again, it can also by recreated by ssh-keygen -y.
Worth to note, is that with a running ssh-agent and agent forwarding it’s also convenient to access several remote servers where you reach one from another one. This website explains it really nice. On the Mac the ssh-agent is started automatically nowadays (I think from 10.5 on). |
Quote:
|
Thanks to the new replies. Everything is working great.
|
All times are GMT -5. The time now is 08:30 AM. |