LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-25-2014, 12:04 AM   #1
mxmaniac
LQ Newbie
 
Registered: Feb 2014
Posts: 26

Rep: Reputation: Disabled
Are strong SSH passwords not considered secure?


I hear it over and over again, people saying SSH access via passwords is a bad habit, and that key authorization is the way to go. But is it really a security issue as long as your password is strong? Or are they just exaggerating?

Say I think of a long, obscure password, that is not difficult for me to remember, for example.
climbingupa7407footmountaininin7407seconds!

Isn't that plenty secure enough to not even need to think about using a key?

Isn't using a key "instead" of a password potentially less secure, because if someone steals a computer with your key on it, somehow steals a key, or accesses it when you turn your back, they could log right in without needing to know credentials right? Whereas a password they could never do that.
 
Old 02-25-2014, 12:29 AM   #2
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Hi,

you should almost never use a key instead of a password. Instead you should be using a key which is protected by a strong passphrase.

Evo2.
 
Old 02-25-2014, 05:26 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,541

Rep: Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919
Quote:
Originally Posted by mxmaniac View Post
Say I think of a long, obscure password, that is not difficult for me to remember, for example.
climbingupa7407footmountaininin7407seconds!
Which as it only uses lower case letters and digits and one "special" character wouldn't meet any of my servers complexity guidelines
 
Old 02-25-2014, 05:47 AM   #4
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
There is more to it than the complexity of the password... A man in the middle attack is far more easier to be pulled off in a SSH with password connection, but almost impossible with key authorizations

L.E.: See this for a brief description: http://www.gremwell.com/ssh-mitm-pub...authentication

Last edited by Smokey_justme; 02-25-2014 at 05:50 AM.
 
1 members found this post helpful.
Old 02-25-2014, 04:28 PM   #5
mxmaniac
LQ Newbie
 
Registered: Feb 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
In that case. Is it possible (and easy/common) to setup the standard openssh server to allow login via either passphrase protected key or password?

The idea would be the passphrase protected key would be used 99.95% of the time

For example, I normally only have one laptop I ever plan to use to connect to the ssh server. Well what I'm on vacation, and that laptop gets lost/stolen/corrupted, etc. And I need to buy a new one, borrow one, use a cell phone, etc. I'd be locked out without a key right? In that case, having password login as an option would let me gain entry right?

Or is there a better way to cope with that issue? Storing a passphrase protected key in the cloud perhaps?
 
Old 02-25-2014, 04:40 PM   #6
jzoudavy
Member
 
Registered: Apr 2012
Distribution: Ubuntu, SUSE, Redhat
Posts: 188

Rep: Reputation: Disabled
is the threat you are facing that severe?
 
Old 02-25-2014, 10:39 PM   #7
mxmaniac
LQ Newbie
 
Registered: Feb 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
Threat is minimal. I'm just an average joe, with nothing much important on any of my computers besides personal files and photos nobody else would care about. I just like to err on the side of caution, and also learn to do things the right way.
 
Old 02-25-2014, 10:47 PM   #8
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,509

Rep: Reputation: 394Reputation: 394Reputation: 394Reputation: 394
Quote:
Originally Posted by mxmaniac View Post
Threat is minimal. I'm just an average joe, with nothing much important on any of my computers besides personal files and photos nobody else would care about. I just like to err on the side of caution, and also learn to do things the right way.
"They" don't give a flying one about the contents of your machine.
The value is in "owning" a machine that doesn't point back to them.
 
Old 02-25-2014, 11:02 PM   #9
jzoudavy
Member
 
Registered: Apr 2012
Distribution: Ubuntu, SUSE, Redhat
Posts: 188

Rep: Reputation: Disabled
Quote:
Originally Posted by mxmaniac View Post
Threat is minimal. I'm just an average joe, with nothing much important on any of my computers besides personal files and photos nobody else would care about. I just like to err on the side of caution, and also learn to do things the right way.
well then, full steam ahead sir!
 
Old 02-25-2014, 11:48 PM   #10
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Hi,

here's a timely article from Bruce Schneier which covers "strong" passwords: http://boingboing.net/2014/02/25/cho...-password.html

Cheers,

Evo2.
 
Old 02-25-2014, 11:50 PM   #11
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian
Posts: 2,207

Rep: Reputation: 341Reputation: 341Reputation: 341Reputation: 341
Quote:
Originally Posted by mxmaniac View Post
For example, I normally only have one laptop I ever plan to use to connect to the ssh server. Well what I'm on vacation, and that laptop gets lost/stolen/corrupted, etc. And I need to buy a new one, borrow one, use a cell phone, etc. I'd be locked out without a key right? In that case, having password login as an option would let me gain entry right?
Assuming you will come home from vacation at some point, you just nuke the old key from authorized_keys and setup a new key pair on the server.

If you absoultely must access your home server while on vacation after getting your laptop stolen, you could have proactively emailed your (passphrase protected, hence encryped) private key to yourself using gmail or some other web-based free email. You can access gmail (or whatever) from anywhere using any browser on any computer.
 
Old 02-25-2014, 11:50 PM   #12
mxmaniac
LQ Newbie
 
Registered: Feb 2014
Posts: 26

Original Poster
Rep: Reputation: Disabled
So is there a good solution to using passphrase protected key encryption, but also have a backup plan just in case a key somehow gets lost?

Perhaps keeping a copy of the key in a cloud location, or web e-mail avaialble for re-download? If that is indeed a good solution, are keys cross platform compatible? Like if the key was made on linux, but then I needed to use it in putty for windows, or in an android ssh program?
 
Old 02-26-2014, 12:00 AM   #13
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and Scientific Linux
Posts: 5,753

Rep: Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288Reputation: 1288
Hi,
Quote:
Originally Posted by mxmaniac View Post
So is there a good solution to using passphrase protected key encryption, but also have a backup plan just in case a key somehow gets lost?
Sure, keep a copy of the key on a usb stick or something.
Eg.
Code:
cp ~/.ssh/id_rsa
/media/my-usb-stick/
Quote:
Perhaps keeping a copy of the key in a cloud location, or web e-mail avaialble for re-download?
No! Protect your private key(s), don't deposit them untrusted places.
Quote:
If that is indeed a good solution, are keys cross platform compatible?
They're nothing more than text files with a few thousand characters.
Quote:
Like if the key was made on linux, but then I needed to use it in putty for windows, or in an android ssh program?
If it is the same type, then yes (eg RSA, DSA etc).

Evo2.
 
Old 02-26-2014, 06:18 AM   #14
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Quote:
Originally Posted by mxmaniac View Post
Threat is minimal. I'm just an average joe, with nothing much important on any of my computers besides personal files and photos nobody else would care about. I just like to err on the side of caution, and also learn to do things the right way.
Then enable both key and password access... From the moment a key gets stolen (let's say with your laptop), don't ever use it again.. (so backup in this case fails -- that's not to say you shouldn't have a backup in some place) and remove it from the servers 'authorized_keys'

Or use two keys... One for permanent usage, and one on a USB Stick, for worst-case scenarios...

Just be sure, when using passwords to connect, man in the middle isn't likely to happen (no Wifi is a good start)..

Security wise, ensure that 'root' can't connect to your ssh server and setup something like fail2ban

Don't overstress about this, security should be as simple as it can be...

Last edited by Smokey_justme; 02-26-2014 at 06:20 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: 8 Tips for Choosing A Secure and Strong Passwords | Pwgen CLI Tool LXer Syndicated Linux News 0 03-29-2012 11:01 PM
Forcing Users for strong passwords sushantchawla2005 Linux - Server 5 08-21-2009 10:12 AM
Strong Passwords, SquirrelMail, and Vacation linuxlastslonge Linux - Software 8 07-10-2007 01:45 AM
strong passwords csaunders Red Hat 5 02-24-2007 10:33 AM
How to turn OFF strong passwords? kkempter Red Hat 1 02-22-2005 08:55 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration