Security Basics mailing list archives

RE: SSH Passphrase

From: "Michael Sconzo" <msconzo () tamu edu>
Date: Wed, 5 Mar 2003 20:54:06 -0600

my $.02 on the matter.

Passwords and the like can basically be put into 3 categories:
1) something that you know (password/phrase)
2) something that you have (ssh key file/smart card)
3) something that you are (DNA/finger print)

If you consider these, they can all be faked.  The problem that you run into
is guarding each one properly. Not telling anybody your password, not giving
somebody your smart card or letting somebody draw your blood or copy your
finger print.  Now obviously some are easier/harder to do then the others.
But the long and the short of it they all have the same amount of
effectiveness.

Now, more specifically public key encryption.  This is based off the idea
that there is a 'hard' problem (be it factoring, discrete log ...etc).
Assuming none of these are going to be solved today or in the near future
the idea of public key encryption is safe and so should the concept of
rsa/dsa keys.  Now comes the fun part, protecting your private key.  So,
using 'standard' methods (file permissions, etc...) to secure your keys
where ever you keep them.  You can now have a usable and secure crypto
system without passwords.

So, hopefully this eases your mind as to the security of key files.  There
is obviously much more to be said (the more methods you employ...the more
things to defeat, and potentially the more secure the system), but I did the
best I could in an email.

-Mike

-----Original Message-----
From: Stefan Lesicnik [mailto:lists () lsd za com]
Sent: Wednesday, March 05, 2003 3:07 PM
To: security-basics () securityfocus com
Subject: SSH Passphrase


Hi,

Im fairly new to private and public key encryption, so dont quite
understand all the concepts.

I have the need to scp a file to a remote server without specifying the
password as it is done from a non-interactive script.

I have accomplished this by generating a dsa key without a passphrase.
Although this works I am worried about the security concerns of doing
this? (Without a passphrase, how does it authenticate? Based on the
machines dsa key which was made from machine specific entropy?)

I know of programs such as ssh-agent, but these require you to enter a
passphrase at the beginning of the session which it then remembers, this
isnt possible as it is non-interactive in my case. Does anyone have any
ideas or comments?

TIA
Stefan Lesicnik

Current thread:

Re: Outlook web access rogue (Mar 03)
- <Possible follow-ups>
- Re: Outlook web access i.t (Mar 03)
  - SSH Passphrase Stefan Lesicnik (Mar 05)
    - RE: SSH Passphrase Michael Cunningham (Mar 06)
    - RE: SSH Passphrase Michael Sconzo (Mar 06)
    - Re: SSH Passphrase Devdas Bhagat (Mar 06)
    - Re: SSH Passphrase David M. Fetter (Mar 06)
    - Re: SSH Passphrase Janus N. (Mar 07)
    - Re: SSH Passphrase Johan De Meersman (Mar 08)
- Re: Outlook web access Devdas Bhagat (Mar 03)
  - Re: Outlook web access Nuzman (Mar 04)
- Re: Outlook web access Chris Travers (Mar 03)
- RE: Outlook web access CHRIS GRABENSTEIN (Mar 03)
- RE: Outlook web access Jennifer Fountain (Mar 03)
  - Re: Outlook web access David Glosser (Mar 05)

(Thread continues...)