LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is ssh keys authentication more secure than password authentication? (http://www.linuxquestions.org/questions/linux-security-4/is-ssh-keys-authentication-more-secure-than-password-authentication-934866/)

GrepAwkSed 03-16-2012 07:52 PM

Is ssh keys authentication more secure than password authentication?
 
hello,

I am thinking of doing ssh tunneling to my home computer when I am outside.

I sort of read that ssh keys authentication is more secure than password authentication.
Thus far I've always use password authentication.

I want to try something new and need your personal experience of should I continue with password or go with keys.

PS: If I decide to go with keys should I disable password authentication from /etc/ssh/sshd_config?

Thanks for any feedback

sundialsvcs 03-16-2012 09:53 PM

IMHO, it is definitely preferable to set up sshd to accept only keys-based authentication.

And, yes, this means that you must disable password authentication, because (quite annoyingly...) sshd seems positively eager to accept the least secure form of authentication that it can find.

The obvious advantage of "a key" is that you either have it or you don't. Anyone on earth can "know the magic word," but not so many people can be in possession of a unique, revocable, and non-forgeable key.

A clear advantage of keys, like that of the electronic identification badges that you probably use at your place of work, is that they can be individually issued, and therefore, individually revoked. If someone steals a copy of a badge, that badge can be deactivated without preventing any other badge-holder from entering the building. Also, it simply isn't feasible for anyone to create a forged copy of that badge.

If you want to impose a "password" restriction, simply encrypt the badge. Now, only a person who knows the proper password can use the badge. But if the badge, itself is ever stolen or compromised, the badge can be selectively invalidated, no matter what the password(s) used to safeguard its contents might have been.

GrepAwkSed 03-16-2012 10:02 PM

thanks sundialsvcs for your input.

BTW, do I need to keep both id_rsa id_rsa.pub in the .ssh/ folder?

if unsure, then I leave them there.

Noway2 03-17-2012 06:08 AM

Transfer the public key to the server. Keep the private key with the client. It is safe to leave the public key with the client also. BTW, the public key is exactly that, public, and it is safe to give this key out. In the case of SSH, there is little need, but if you were to use keys for other purposes such as encrypted email you should keep this in mind.

Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).

Reuti 03-17-2012 06:17 AM

No, the id_rsa.pub you can delete on your local machine. In case you need it again, it can also by recreated by ssh-keygen -y.

Worth to note, is that with a running ssh-agent and agent forwarding it’s also convenient to access several remote servers where you reach one from another one. This website explains it really nice.

On the Mac the ssh-agent is started automatically nowadays (I think from 10.5 on).

Reuti 03-17-2012 06:30 AM

Quote:

Originally Posted by Noway2 (Post 4629038)
Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).

There is also the ssh-copy-id script for this purpose, unfortunately only on Linux, not on a Mac but you could copy it thereto [Update: noticed to late, that sundialsvcs uses a MAC, not the OP GrepAwkSed - so it should be there already]. Anyway, this means you need access by password before. Otherwise usually you have to send the public key to the admin of the server by emails or alike to get access.

GrepAwkSed 03-17-2012 08:25 PM

Thanks to the new replies. Everything is working great.


All times are GMT -5. The time now is 11:07 PM.