Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-16-2012, 07:52 PM
|
#1
|
LQ Newbie
Registered: Mar 2012
Posts: 23
Rep:
|
Is ssh keys authentication more secure than password authentication?
hello,
I am thinking of doing ssh tunneling to my home computer when I am outside.
I sort of read that ssh keys authentication is more secure than password authentication.
Thus far I've always use password authentication.
I want to try something new and need your personal experience of should I continue with password or go with keys.
PS: If I decide to go with keys should I disable password authentication from /etc/ssh/sshd_config?
Thanks for any feedback
Last edited by GrepAwkSed; 03-16-2012 at 08:14 PM.
|
|
|
03-16-2012, 09:53 PM
|
#2
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,871
|
IMHO, it is definitely preferable to set up sshd to accept only keys-based authentication.
And, yes, this means that you must disable password authentication, because (quite annoyingly...) sshd seems positively eager to accept the least secure form of authentication that it can find.
The obvious advantage of "a key" is that you either have it or you don't. Anyone on earth can "know the magic word," but not so many people can be in possession of a unique, revocable, and non-forgeable key.
A clear advantage of keys, like that of the electronic identification badges that you probably use at your place of work, is that they can be individually issued, and therefore, individually revoked. If someone steals a copy of a badge, that badge can be deactivated without preventing any other badge-holder from entering the building. Also, it simply isn't feasible for anyone to create a forged copy of that badge.
If you want to impose a "password" restriction, simply encrypt the badge. Now, only a person who knows the proper password can use the badge. But if the badge, itself is ever stolen or compromised, the badge can be selectively invalidated, no matter what the password(s) used to safeguard its contents might have been.
Last edited by sundialsvcs; 03-16-2012 at 09:55 PM.
|
|
|
03-16-2012, 10:02 PM
|
#3
|
LQ Newbie
Registered: Mar 2012
Posts: 23
Original Poster
Rep:
|
thanks sundialsvcs for your input.
BTW, do I need to keep both id_rsa id_rsa.pub in the .ssh/ folder?
if unsure, then I leave them there.
|
|
|
03-17-2012, 06:08 AM
|
#4
|
Senior Member
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125
|
Transfer the public key to the server. Keep the private key with the client. It is safe to leave the public key with the client also. BTW, the public key is exactly that, public, and it is safe to give this key out. In the case of SSH, there is little need, but if you were to use keys for other purposes such as encrypted email you should keep this in mind.
Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).
|
|
|
03-17-2012, 06:17 AM
|
#5
|
Senior Member
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339
|
No, the id_rsa.pub you can delete on your local machine. In case you need it again, it can also by recreated by ssh-keygen -y.
Worth to note, is that with a running ssh-agent and agent forwarding it’s also convenient to access several remote servers where you reach one from another one. This website explains it really nice.
On the Mac the ssh-agent is started automatically nowadays (I think from 10.5 on).
|
|
|
03-17-2012, 06:30 AM
|
#6
|
Senior Member
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339
|
Quote:
Originally Posted by Noway2
Once you have transferred the public key to the server, you will need to append it to the list of authorized hosts. This is most easily done with the cat command, but use the >> operator and make a backup copy of your authorized_keys file first (been there, done that).
|
There is also the ssh-copy-id script for this purpose, unfortunately only on Linux, not on a Mac but you could copy it thereto [Update: noticed to late, that sundialsvcs uses a MAC, not the OP GrepAwkSed - so it should be there already]. Anyway, this means you need access by password before. Otherwise usually you have to send the public key to the admin of the server by emails or alike to get access.
Last edited by Reuti; 03-17-2012 at 06:33 AM.
Reason: Thought OP uses a Mac
|
|
|
03-17-2012, 08:25 PM
|
#7
|
LQ Newbie
Registered: Mar 2012
Posts: 23
Original Poster
Rep:
|
Thanks to the new replies. Everything is working great.
|
|
|
All times are GMT -5. The time now is 07:26 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|