[Techtalk] thoughts on OpenSSH key passphrase/ no passphrase

Wim De Smet kromagg at gmail.com
Fri Dec 2 05:37:00 EST 2005


On 11/27/05, Carla Schroder <carla at bratgrrl.com> wrote:
> Being the belt n suspenders type, I always put a passphrase on my SSH keys. If
> I need automatic logins, like cron jobs or I just don't feel like typing a
> lot of dern passphrases, I use the keychain utility. (The one drawback to
> keychain is you have to start over at reboot.)
>
> Some folks think using public-key authentication without a passphrase is more
> secure that using it with a passphrase. Which does not make sense to me.
>
> Anyone have deep thoughts on the subject? Or even shallow ones.
>

Well first of all, I do not think that without the passphrase it would
be more secure. What I have beent old (and is probably true) is that
the protection from the passphrase is rather weak (as in crackable on
consumer grade hardware). If I recall correctly the passphrase just
encrypts your private key. So putting a passphrase doesn't provide
much extra security. At best it gives you a bit more time if somebody
steals your keys to react by disabling those on the hosts you were
using them at.

I often hear people say "weak security is worse than no security" so
perhaps that's the reason they're against passphrase-encryption of
your keys? Or perhaps they misunderstood and were thinking of
passworded authentication (which is indeed less secure becs of the
keylength)

greets,
Wim


More information about the Techtalk mailing list