Re: Passing password in ssh



Aldo Foot wrote:

Well, the scenario I described actually happened years ago to someone I knew.
If I create keys without a passphrase, and share the public keys between
two systems (A and B), then from system A I can log to system B by
simply saying "ssh user@B". This is very convenient for cron jobs.

This is particularly risky when the systems are accessed by the general public.
How does someone finds out the username? I don't know... company phonebook,
online profiles listing first/lastname, etc.

You do know that you first have to get the private key of the key pair, right? So you have to crack user@A's account, at least to the point of getting the private key. Remember, the key will not work unless it is only readable by the user. The .ssh directory also needs to be set this way. So just being able to log into machine A is not enough. You also need access to the private key.

But even having a pass phrase does not help if someone uses dumb passwords. Things like first name as user name, and last name as password. Then they use their full name as the pass phrase on the key. Or is machine B lets you ssh in using username/password, and you have a user like this. The key is to use the tools responsibly.

Mikkel
--

Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: Passing password in ssh
    ... If I create keys without a passphrase, and share the public keys between ... You do know that you first have to get the private key of the key ... The .ssh directory also ... But simply cracking into a user's account who has access to several ...
    (Fedora)
  • RE: TIPS FOR THE NEWCOMER
    ... using your old private key, so there's no point in keeping a backup. ... > security risk if I send this through e-mail as an attachment to the ssh ... > has been compromised it does not really matter since it is a public key ... > more words for the passphrase it gets harder to crack? ...
    (SSH)
  • Re: SSH Implemetation Question
    ... its a little difficult to document how SSH works on ... Give the private key a passphrase if you care about security! ... Start Pagent on the workstation, and add your private key to it. ... To demystify the configuration on the workstation in the -03 level IBM ...
    (bit.listserv.ibm-main)
  • Re: Requiring non-empty passphrase.
    ... I would say no. Public keys are not encrypted with passphrases, ... The trick is that this decryption of the private key ... is done on the client side and the server never sees the private key ...
    (SSH)
  • Re: backups Re: Have I been sniffed?
    ... Wireless is worse because in order to sniff the wire, ... >> in ssh are still sent over the network, whereas, passphrases are kept ... as they are only used to decrypt the private key. ... Daily backups distributed to two servers, ...
    (Debian-User)