LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-08-2010, 05:17 PM   #1
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,578
Blog Entries: 1

Rep: Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033
ssh-keygen -t rsa -b 2048 without a passphrase


I was wondering whether increasing the strength of a key by increasing the number of bits in the key to 2048 makes any sense if I want to leave the passphrase blank anyway?
I'm setting up passwordless ssh logins on my LAN as I'm a bit tired of constantly being asked for a password.

Thank you
 
Old 06-08-2010, 06:12 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Check the ssh-keygen(1) manpages for your OS; -b 2048 should already be the default for most modern-ish implementations.

---

edit: Eh, I'm not sure if it makes sense. I am not crystal clear on whether your private key is derived from the passphrase.

Last edited by anomie; 06-08-2010 at 06:15 PM.
 
Old 06-08-2010, 06:28 PM   #3
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,578
Blog Entries: 1

Original Poster
Rep: Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033
Thanks. You might be right. I'm not sure if I get it right but according to the man page, the -b flag has nothing to with the private key which is encrypted using 128-bit AES.

When it comes to default value of -b, you're right, it is 2048.
 
Old 06-09-2010, 02:54 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?

AFAIK, the private key isn't derived from the passphrase.

You can create a passphrase-less key, but it isn't a best practice.
 
Old 06-09-2010, 11:58 PM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,311

Rep: Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040Reputation: 2040
The key-length protects data 'in-flight'. The longer the key, the harder to break.
The passphrase is a separate issue. If the system is secure enough, not having a passphrase maybe ok.
If you need to automate processes, then either

1. no passphrase
2. use ssh-agent as described, but you need to call the program from within that session. This is not practical for cron jobs.
 
Old 06-10-2010, 05:06 PM   #6
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,578
Blog Entries: 1

Original Poster
Rep: Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033
Quote:
Originally Posted by unixfool View Post
If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.

If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?


You can create a passphrase-less key, but it isn't a best practice.
Thank you all for your answers.
I know that in terms of security having a passwordless anything is not best practice, but as I said it's just for the purpose of my private LAN.

Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
I'm missing something here. I thought the introduction of keys was to get rid of passphrases in the first place. Yes....., I'm definitely missing something here
 
Old 06-10-2010, 05:31 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by sycamorex
Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
Yes, that's right.

But: you should take a look at the ssh-keygen(1) manpages, -O (constraint) option. You can restrict access by source address. (I'm not sure which version of openssh this first appeared in.)
 
Old 06-10-2010, 05:42 PM   #8
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,578
Blog Entries: 1

Original Poster
Rep: Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033
Nice one, further IP restrictions (among others). Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ssh-Keygen generation tuxianD Solaris / OpenSolaris 2 05-05-2010 03:45 PM
SSH no-password authentication: RSA Passphrase Nokao Linux - Server 8 12-28-2009 11:17 AM
passphrase authentication fails using rsa with OpenSSH 5.1p1 (Slackware 12.2) sysfce2 Linux - Newbie 16 11-01-2009 09:21 PM
ssh-agent, ssh-add and ssh-keygen AND CVS raylpc Linux - General 2 11-19-2008 03:50 AM
How to ssh-keygen? Baran Linux - Networking 5 04-26-2005 03:40 PM


All times are GMT -5. The time now is 02:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration