LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-16-2012, 08:52 PM   #1
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Rep: Reputation: Disabled
Is ssh keys authentication more secure than password authentication?


hello,

I am thinking of doing ssh tunneling to my home computer when I am outside.

I sort of read that ssh keys authentication is more secure than password authentication.
Thus far I've always use password authentication.

I want to try something new and need your personal experience of should I continue with password or go with keys.

PS: If I decide to go with keys should I disable password authentication from /etc/ssh/sshd_config?

Thanks for any feedback

Last edited by GrepAwkSed; 03-16-2012 at 09:14 PM.
 
Old 03-16-2012, 10:53 PM   #2
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,455

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
IMHO, it is definitely preferable to set up sshd to accept only keys-based authentication.

And, yes, this means that you must disable password authentication, because (quite annoyingly...) sshd seems positively eager to accept the least secure form of authentication that it can find.

The obvious advantage of "a key" is that you either have it or you don't. Anyone on earth can "know the magic word," but not so many people can be in possession of a unique, revocable, and non-forgeable key.

A clear advantage of keys, like that of the electronic identification badges that you probably use at your place of work, is that they can be individually issued, and therefore, individually revoked. If someone steals a copy of a badge, that badge can be deactivated without preventing any other badge-holder from entering the building. Also, it simply isn't feasible for anyone to create a forged copy of that badge.

If you want to impose a "password" restriction, simply encrypt the badge. Now, only a person who knows the proper password can use the badge. But if the badge, itself is ever stolen or compromised, the badge can be selectively invalidated, no matter what the password(s) used to safeguard its contents might have been.

Last edited by sundialsvcs; 03-16-2012 at 10:55 PM.
 
Old 03-16-2012, 11:02 PM   #3
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
thanks sundialsvcs for your input.

BTW, do I need to keep both id_rsa id_rsa.pub in the .ssh/ folder?

if unsure, then I leave them there.
 
Old 03-17-2012, 07:08 AM   #4
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Transfer the public key to the server. Keep the private key with the client. It is safe to leave the public key with the client also. BTW, the public key is exactly that, public, and it is safe to give this key out. In the case of SSH, there is little need, but if you were to use keys for other purposes such as encrypted email you should keep this in mind.

Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).
 
Old 03-17-2012, 07:17 AM   #5
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
No, the id_rsa.pub you can delete on your local machine. In case you need it again, it can also by recreated by ssh-keygen -y.

Worth to note, is that with a running ssh-agent and agent forwarding it’s also convenient to access several remote servers where you reach one from another one. This website explains it really nice.

On the Mac the ssh-agent is started automatically nowadays (I think from 10.5 on).
 
Old 03-17-2012, 07:30 AM   #6
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,320

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by Noway2 View Post
Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).
There is also the ssh-copy-id script for this purpose, unfortunately only on Linux, not on a Mac but you could copy it thereto [Update: noticed to late, that sundialsvcs uses a MAC, not the OP GrepAwkSed - so it should be there already]. Anyway, this means you need access by password before. Otherwise usually you have to send the public key to the admin of the server by emails or alike to get access.

Last edited by Reuti; 03-17-2012 at 07:33 AM. Reason: Thought OP uses a Mac
 
Old 03-17-2012, 09:25 PM   #7
GrepAwkSed
LQ Newbie
 
Registered: Mar 2012
Posts: 23

Original Poster
Rep: Reputation: Disabled
Thanks to the new replies. Everything is working great.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VNC w/ SSH using Keys or Kerberos Authentication? dman777 Linux - Security 3 10-07-2011 03:29 PM
configure ssh authentication using password file and sftp/scp authentication using ld cameliab Linux - Software 1 08-29-2011 04:28 AM
ssh 2 keys authentication evil_empire Linux - Security 3 06-22-2009 01:10 PM
SSH Public Key Authentication - how secure is it? moistTowelette Linux - Security 7 10-31-2007 06:47 PM
Open SSH authentication using public keys Xiiph Linux - Software 8 01-05-2007 09:58 AM


All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration