Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was wondering whether increasing the strength of a key by increasing the number of bits in the key to 2048 makes any sense if I want to leave the passphrase blank anyway?
I'm setting up passwordless ssh logins on my LAN as I'm a bit tired of constantly being asked for a password.
Thanks. You might be right. I'm not sure if I get it right but according to the man page, the -b flag has nothing to with the private key which is encrypted using 128-bit AES.
When it comes to default value of -b, you're right, it is 2048.
The key-length protects data 'in-flight'. The longer the key, the harder to break.
The passphrase is a separate issue. If the system is secure enough, not having a passphrase maybe ok.
If you need to automate processes, then either
1. no passphrase
2. use ssh-agent as described, but you need to call the program from within that session. This is not practical for cron jobs.
If you're tired of constantly being asked for your password, maybe you should just utilize ssh-agent.
If you create a passphrase-less key, what prevents someone from stealing and using that key? After all, it isn't locked down with a passphrase, right?
You can create a passphrase-less key, but it isn't a best practice.
Thank you all for your answers.
I know that in terms of security having a passwordless anything is not best practice, but as I said it's just for the purpose of my private LAN.
Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
I'm missing something here. I thought the introduction of keys was to get rid of passphrases in the first place. Yes....., I'm definitely missing something here
Let me get this straight, if someone steals that key they could ssh into my computer from any other box (assuming I allow ssh from outside of my LAN, which I don't) without any password. Is that right?
Yes, that's right.
But: you should take a look at the ssh-keygen(1) manpages, -O (constraint) option. You can restrict access by source address. (I'm not sure which version of openssh this first appeared in.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
