Tero Pesonen wrote:
On Friday 28 November 2008, James Knott wrote:
Tero Pesonen wrote:
On Friday 28 November 2008, G T Smith wrote:
Dominique Leuenberger wrote:
I rather assume the user wanted to disabled password authentication in favor of keybased authentication. If you read the thread in context, this is at least what the story suggests.
I have this setup on my server and would not be afraid of it's security.. or not more as with pw auth. Having keypair auth and no pass sounds pretty good practice to me.
Dominique
But how do you log into that box from where ever you happen to be if you do not have your private key at hand? Or did I miss something here? I'd take pw authentication over a key-based one any day unless I'd become a target of constant dictionary attacks that would affect performance. Otherwise, moving that private key from place A to B securely is too much of a trouble. With a good pw, no amount of guessing, however sophisticated or powerful, or by which ever entity, is going to work.
Regards, Tero Pesonen
There are two keys, the public one and the private one. You have to protect the private one and it's only on the computer you are connecting from . You can email the public key, if you wish, as it doesn't have to be protected. At the destination computer, it is added to the known_hosts file. The public key can be copied to any computer you wish to connect to.
Yes, I understand, but the problem lies exactly in that you need your private key whereever you're connecting from. That is, if I had to SSH into my box while at the university, I'd have to have my private key on that machine I would have to be using there (not an option, unless I'd bring my own laptop etc. -- not always possible) or on some memory stick or similar, and have that memory stick or select files always encrypted so that if, or when, I would lose it, I wouldn't get compromised.
But perhaps this wouldn't be too much of trouble if I had the FS on that key remain unencrypted, with only the private key encrypted, and had both *NIX and Windows versions of GPG there (is that even possible?) or something like that, and the key would be decrypted only onto that stick, not onto the host machine's local disks, and later overwritten with zeros. Although you never know where some swapping might throw a copy of it on that machine.
But I think this might work.
Still, unless a key would be necessary, a plain password would be much easier to use securely.
Regards, Tero Pesonen
GPG is compatible with PGP on any other platform. Also, you can password protect the key. If you're using Linux boxes, you don't even have to copy the key to the computer. Just carry it on a USB drive and symlink to it. -- Use OpenOffice.org <http://www.openoffice.org> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org