LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ssh-keygen -t rsa -b 2048 without a passphrase (https://www.linuxquestions.org/questions/linux-security-4/ssh-keygen-t-rsa-b-2048-without-a-passphrase-812954/)

sycamorex 06-08-2010 04:17 PM
ssh-keygen -t rsa -b 2048 without a passphrase
 
I was wondering whether increasing the strength of a key by increasing the number of bits in the key to 2048 makes any sense if I want to leave the passphrase blank anyway?
I'm setting up passwordless ssh logins on my LAN as I'm a bit tired of constantly being asked for a password.

Thank you

anomie 06-08-2010 05:12 PM
Check the ssh-keygen(1) manpages for your OS; -b 2048 should already be the default for most modern-ish implementations.

---

edit: Eh, I'm not sure if it makes sense. I am not crystal clear on whether your private key is derived from the passphrase.

sycamorex 06-08-2010 05:28 PM
Thanks. You might be right. I'm not sure if I get it right but according to the man page, the -b flag has nothing to with the private key which is encrypted using 128-bit AES.

When it comes to default value of -b, you're right, it is 2048.

unixfool 06-09-2010 01:54 PM
If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?

AFAIK, the private key isn't derived from the passphrase.

You can create a passphrase-less key, but it isn't a best practice.

chrism01 06-09-2010 10:58 PM
The key-length protects data 'in-flight'. The longer the key, the harder to break.
The passphrase is a separate issue. If the system is secure enough, not having a passphrase maybe ok.
If you need to automate processes, then either

1. no passphrase
2. use ssh-agent as described, but you need to call the program from within that session. This is not practical for cron jobs.

sycamorex 06-10-2010 04:06 PM
Quote:
Originally Posted by unixfool (Post 3998146)
If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?


You can create a passphrase-less key, but it isn't a best practice.
Thank you all for your answers.
I know that in terms of security having a passwordless anything is not best practice, but as I said it's just for the purpose of my private LAN.

Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
I'm missing something here. I thought the introduction of keys was to get rid of passphrases in the first place. Yes....., I'm definitely missing something here:)

anomie 06-10-2010 04:31 PM
Quote:
Originally Posted by sycamorex
Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
Yes, that's right.

But: you should take a look at the ssh-keygen(1) manpages, -O (constraint) option. You can restrict access by source address. (I'm not sure which version of openssh this first appeared in.)

sycamorex 06-10-2010 04:42 PM
Nice one, further IP restrictions (among others). Thanks


All times are GMT -5. The time now is 05:15 PM.