LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-31-2014, 04:20 PM   #1
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Rep: Reputation: 265Reputation: 265Reputation: 265
Password auth. vs. Key auth. for SSH


Hi!
I have a server running Ubuntu Server 12.04.03 LTS, and it currently has keyfile-only authentication. However, I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22.

Is password login a big no-no, or is it safe if there is a long enough password? What should a good password look like?

Thanks for your time!
 
Old 03-31-2014, 05:06 PM   #2
cin_
Member
 
Registered: Dec 2010
Posts: 281

Rep: Reputation: 24
security

security is a difficult thing to give advice on...

it really comes down to comforts and preferences

you say you want to go back to passwords for convenience sake but for some the keyfile may be more convenient,
you are free from keeping track and memorising many different passwords for many different services, also good passwords should be difficult to memorise

which leads to your second question of what a good password looks like,
well a good password, again is about your interests

if you are the only one on this server and your work is pretty anonymous then a password for you may just be about detering superficial shenanigans and so a good password would be one you can easily remember

if you are talking about high security password then you would want to go with something that looks like the output of a hash function: c0e81794384491...

numbers and letters seemingly randomised
if you use common words the attacker can use a dictionary attack but if an attacker wants to guess your password and you have a password like this then the attacker would have to guess every possible combination of letters, 26 a-z, and numbers, 10 0-9
at 36 possible characters for each character of the password string you can calculate the number of guesses by taking 36**(PASS_LEN)

36**4 = 1679616
36**5 = 60466176
36**6 = 2176782336 possible combinations

that escalates quickly.. obviously more guesses required the more secure the pass phrase will be, so i'd suggest a minimum of 6 characters

Last edited by cin_; 03-31-2014 at 05:22 PM. Reason: gramm`err
 
1 members found this post helpful.
Old 03-31-2014, 05:07 PM   #3
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,724

Rep: Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705Reputation: 1705
Hi,
Quote:
Originally Posted by maples View Post
I have a server running Ubuntu Server 12.04.03 LTS, and it currently has keyfile-only authentication.
Good, that's how I set up all my machines. I also have have "PermitRootLogin no" and make use of "AllowUsers".
Quote:
However, I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22.
That doesn't hurt and may reduce the number of entries in your logs, but do a search on "security through obscurity" and read what pops up.
Quote:
Is password login a big no-no, or is it safe if there is a long enough password?
A password being long is not enough to make is strong.
Quote:
What should a good password look like?
See this recent article by Bruce Schneier http://boingboing.net/2014/02/25/cho...-password.html

I suggest you stick with what key based authentication. Protect your keys with a strong passphrases and if you need to, carry them with you on a usb stick.

Evo2.
 
2 members found this post helpful.
Old 03-31-2014, 06:18 PM   #4
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Thanks!
I'll take your advice and keep the password authentication.

Sorry if this was a overly "newbie" question. Regardless of what it says to the left of this post, I'm still pretty new to this.
 
Old 03-31-2014, 07:35 PM   #5
cin_
Member
 
Registered: Dec 2010
Posts: 281

Rep: Reputation: 24
solved?

great, it's a fine question to ask for clarification between different security measures

if you're decided could you mark the thread as solved?
 
Old 03-31-2014, 07:37 PM   #6
maples
Member
 
Registered: Oct 2013
Location: IN, USA
Distribution: Arch, Debian Jessie
Posts: 814

Original Poster
Rep: Reputation: 265Reputation: 265Reputation: 265
Marked as solved. Thanks!
 
Old 04-01-2014, 07:48 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by maples View Post
(..) I was thinking about setting it back to a password login, mainly for convenience. I am the only user of the server. Also, it does not listen of port 22. Is password login a big no-no, or is it safe if there is a long enough password? What should a good password look like?
I disagree: the port the service listens on doesn't enter the equation and you being the only user doesn't matter either. Many things get sacrificed under the misnomer of "convenience" and in this case (unless you care to explain otherwise) completely unnecessary as you would just use ssh-agent to load your keys for the duration of your session. Also see screen, autossh and sshfs.
 
1 members found this post helpful.
Old 04-02-2014, 08:05 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,609
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
The strength of a key, versus a password, is that it is unique and non-forgeable. Therefore, you can issue access to individual people and revoke it to individual people. The (private) key, itself, should of course be encrypted. But, even if the equipment upon which the key was stolen and the owner forced to divulge the password (ouch!), you can still individually deny access by that key.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh security and key auth ?? minty33 Linux - Server 9 07-19-2013 07:15 PM
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
NoMachine NX while still requiring key auth for SSH, possible? Chip Sprague Linux - Security 1 08-29-2011 02:48 PM
SSH : public key auth ? mrbiomathe Linux - Newbie 2 01-12-2010 11:46 AM
ssh key auth problem Ammad Linux - General 4 06-23-2009 01:08 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration