ssh-keygen -t rsa -b 2048 without a passphrase

sycamorex · 06-08-2010, 04:17 PM

I was wondering whether increasing the strength of a key by increasing the number of bits in the key to 2048 makes any sense if I want to leave the passphrase blank anyway?
I'm setting up passwordless ssh logins on my LAN as I'm a bit tired of constantly being asked for a password.

Thank you

anomie · 06-08-2010, 05:12 PM

Check the ssh-keygen(1) manpages for your OS; -b 2048 should already be the default for most modern-ish implementations.

---

edit: Eh, I'm not sure if it makes sense. I am not crystal clear on whether your private key is derived from the passphrase.

sycamorex · 06-08-2010, 05:28 PM

Thanks. You might be right. I'm not sure if I get it right but according to the man page, the -b flag has nothing to with the private key which is encrypted using 128-bit AES.

When it comes to default value of -b, you're right, it is 2048.

unixfool · 06-09-2010, 01:54 PM

If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?

AFAIK, the private key isn't derived from the passphrase.

You can create a passphrase-less key, but it isn't a best practice.

chrism01 · 06-09-2010, 10:58 PM

The key-length protects data 'in-flight'. The longer the key, the harder to break.
The passphrase is a separate issue. If the system is secure enough, not having a passphrase maybe ok.
If you need to automate processes, then either

1. no passphrase
2. use ssh-agent as described, but you need to call the program from within that session. This is not practical for cron jobs.

sycamorex · 06-10-2010, 04:06 PM

Quote:

Originally Posted by unixfool

If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?

You can create a passphrase-less key, but it isn't a best practice.

Thank you all for your answers.
I know that in terms of security having a passwordless anything is not best practice, but as I said it's just for the purpose of my private LAN.

Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
I'm missing something here. I thought the introduction of keys was to get rid of passphrases in the first place. Yes....., I'm definitely missing something here

anomie · 06-10-2010, 04:31 PM

Quote:

Originally Posted by sycamorex

Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?

Yes, that's right.

But: you should take a look at the ssh-keygen(1) manpages, -O (constraint) option. You can restrict access by source address. (I'm not sure which version of openssh this first appeared in.)

sycamorex · 06-10-2010, 04:42 PM

Nice one, further IP restrictions (among others). Thanks