Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Linux server with about 100 users that use passwords for logging in. I was thinking about switching to the use public keys instead but I am unsure which one is more secure.
When using password one can set a policy for length, special characters how ofter to change it, etc.
With public key one cannot force users to use passphrases and they are free to choose which ever they want, it is totally out of control.
1. Public key vs Password Authenication. Which method to choose and why?
2. How to distribute public keys to the server making sure that it comes from the right person?
1. Public key vs Password Authenication. Which method to choose and why?
Keys are safer as you must have the password to the account to which you want to "paste" the key in authorized_keys file from the beginning. Even better is to have a password-protected private key file. You just load your key when you start your desktop session and ensure you "lock the desktop" as soon as you move away from it.
Quote:
2. How to distribute public keys to the server making sure that it comes from the right person?
Just let the users distribute it themselves with clear instructions on which file needs what info and what mode should be set on the file for the sshd daemon to accept the key.
2. How to distribute public keys to the server making sure that it comes from the right person?
As the user has to login to store the public key you can rest asure that it's coming from the right spot.
Or to be totaly save you generate the key and have the user download the private key. But this way it could get known to someone who should not know it. So better have the user generate the key pair and copy the public key to the server.
Quote:
Originally Posted by bortek
1. Public key vs Password Authenication. Which method to choose and why?
Quote:
Why Public Key Authentication
you no longer have to type the password,
less effort to log in,
less times for it to be seen on your fingers by others,
easier to automate things like SCP or remote commands,
the password is no longer sent encrypted to OpenWrt,
less likely for an eavesdropper to capture it,
allows you to turn off password authentication,
impossible for an attacker to guess your password on OpenWrt.
I'd say it realy depends on how much you trust your users. If you can be sure that they use passphrases key login should be more safe. But as I read you can't realy do that. So stick with password login.
Also think about the passphrase. It has to be type in also.. (Not if the user uses ssh-agent or similar). So you would have to make sure that they use a passphrase and ssh-agent. Something you just can't control.
I'd say through the nature of the ssh protocol both options are equal safe. So why not let the user make the decision which one to use.
The keys are safer ONLY if they are passphrased becasue if they are not then a lost or stolen key gets an attacker access to the system without password. Since it is very hard to force user use passphrase maybe password is a better alternative?
To use a keys I need to find out how to securely generate a keypare for the user enforcing a passphrase and at the same time without letting this key leave a clients PC. But there is even greater problem: How do I know that the public key received from the user really belongs to that user? If its emailed then an attacker might easily forge an email and send her own key instead of legitimate. Is there any mechanism that secures that the public key comes from the right person, I guess not?
With password you have a better control as you know that you have sent it to the user and he must change it on the first login. If an attacker get the first time password and changes it the user will notice it and report it.
The keys are safer ONLY if they are passphrased becasue if they are not then a lost or stolen key gets an attacker access to the system without password. Since it is very hard to force user use passphrase maybe password is a better alternative?
As using a passphrase is in user hand using a password for login is definetly the safer choice. Or educate the user. Which is in my opinion a true art cause not everyone is willing to learn or take on some hassle when one can go without.
Quote:
Originally Posted by bortek
To use a keys I need to find out how to securely generate a keypare for the user enforcing a passphrase and at the same time without letting this key leave a clients PC. But there is even greater problem: How do I know that the public key received from the user really belongs to that user? If its emailed then an attacker might easily forge an email and send her own key instead of legitimate. Is there any mechanism that secures that the public key comes from the right person, I guess not?
Like woulfperkins suggested write a decent tutorial and have the user do the key creation. When they are logged in a ssh-keygen -t rsa -b 2048 should be self explaining. And the user have their key pair. Then they only need to download the private key with scp.
If they generate it on their machine its the same step but with uploading the public key. And as the transfer goes through ssh it's secure from evesdropping. Sending per mail is not an option. (beside using gpg but this could also be forked). Maybe an upload through https would work.
Quote:
Originally Posted by bortek
With password you have a better control as you know that you have sent it to the user and he must change it on the first login. If an attacker get the first time password and changes it the user will notice it and report it.
If I would gain some pass why would I change it? This would only ring the alarm. So I would not change it and the user does not know that I know it.
But SSH comes to rescue as it prints the last loging and from where this login happened. This only leads the user to write down when he logged in last
The leakage of password as well as the passphrase leads to doom so what your to do? Not have either leak out...
It's a though decision. I would just go with the passwords. Just implement some good policies and have the user change the password every month. I'd say this fits best.
I have a Linux server with about 100 users that use passwords for logging in. I was thinking about switching to the use public keys instead but I am unsure which one is more secure.
When using password one can set a policy for length, special characters how ofter to change it, etc.
With public key one cannot force users to use passphrases and they are free to choose which ever they want, it is totally out of control.
1. Public key vs Password Authenication. Which method to choose and why?
2. How to distribute public keys to the server making sure that it comes from the right person?
using keys would take preference over using passwords, but best to use a combination of measures for good security.
dsa keys
AllowUsers directive in sshd config file
lock down source ips in a firewall or /etc/security/access.conf
BTW if using public keys, the PAM module (and therefore) password authentication should be disabled which bring me to another point of key distribution without SCP/SSH.
Thanks for suggestions. I am still not convienced myself to go with public keys mainly due to difficulty implementing passphrase change policy, its unfirtunetely not possible.
With pubkeys I would do the following.
Write a java or PHP version of PuttyGen, let the keys be generated by the browser on the client PC. Keep private key on clients PC and upload public part with browser to server.
Two-factor authentication will always be the better security method compared to one-factor (passwords), IMO. Actually this isn't just my opinion. This is a 'best practice' bullet item in the security industry. The next best solution would be password authentication where the user has to periodically reset their passwords using something that wasn't previously used and includes symbols, numbers, and upper-/lower-case characters, with six to eight characters.
Note also that the passphrase is the proof that you are the rightful owner of the key.
Also, I'd not let users configure this on their own unless you've the capacity/time to fix those accounts that get borked if the users implement this improperly, as it has already been said that some users may not be technically inclined.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.