LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

SSH: passwords or keys?

SSH: passwords or keys?

Posted Jan 14, 2010 9:17 UTC (Thu) by marcH (subscriber, #57642)
Parent article: SSH: passwords or keys?

> For password-protected keys, that means that the user must enter the password to decrypt the private key before the ssh client can use it to authenticate with the server. Since many users like key-based authentication because it doesn't require passwords, this extra level of key security can be annoying and often gets omitted.

Wrong. These users neither omit the passphrase nor are annoyed, because they simply use ssh-agent. Like this, they have to type the passphrase only once at login. And as a bonus, ssh-agent automagically manages multiple identities.

The only major omission I can see here is: not mentioning ssh-agent in the main article. Hard to believe.

(Log in to post comments)

SSH: passwords or keys?

Posted Jan 14, 2010 20:43 UTC (Thu) by tseaver (subscriber, #1544) [Link]

I agree that neglecting to mention ssh[-agent was a puzzling oversight. I've been using it successfully for ten years now (it has gotten easier since gdm started helping instead of getting in the way), and therefore have a *terrifically* long / high-entropy passphrase on the key, which I type once per login to the box where the private key is stored.

I never reuse my private key across machines, and never allow root login or password-based login over SSH on any host I admin. I like this setup a lot, and can't imagine that anybody thinks password-based schemes are intrinsically "more secure."

SSH: passwords or keys?

Posted Jan 14, 2010 22:25 UTC (Thu) by nix (subscriber, #2304) [Link]

ssh-agent has one problem: it breaks use of multiple keys. If you have an
agent running, the agent is *always* used, even if you specified a
different key via ssh -i. Very annoying (but I still use ssh-agent
everywhere).

SSH: passwords or keys?

Posted Jan 15, 2010 2:28 UTC (Fri) by jschrod (subscriber, #1646) [Link]

You have to add -o IdentitiesOnly=yes to skip the agent's keys.

SSH: passwords or keys?

Posted Jan 16, 2010 12:29 UTC (Sat) by nix (subscriber, #2304) [Link]

OOo. Thank you, that's very useful! (though I'm not sure it'll help if you
have lots of identities in your .ssh directory which the agent doesn't
know about. I suppose the solution there is to add them to the agent.)

SSH: passwords or keys?

Posted Jan 18, 2010 14:42 UTC (Mon) by jschrod (subscriber, #1646) [Link]

Well, I suppose the option may be for paranoid people who don't want to use their agent-stored identities for authentication tries against unknown ssh servers. Me, I use it mainly for debugging connection and/or authentication problems to well-known servers when the ssh daemon there is running in debug mode and I want to have precise control what my client sends to it.

SSH: passwords or keys?

Posted Jan 15, 2010 9:58 UTC (Fri) by marcH (subscriber, #57642) [Link]

How could you notice this? (besides enabling verbose mode)

SSH: passwords or keys?

Posted Jan 16, 2010 12:32 UTC (Sat) by nix (subscriber, #2304) [Link]

System A had an agent running on it. I sshed to system B, which has a pile
of identities on it, and tried to use one of them to get to system C. No
can do, it insisted on using system A's key, which system C had never
heard of.

SSH: passwords or keys?

Posted Jan 16, 2010 15:20 UTC (Sat) by marcH (subscriber, #57642) [Link]

I am afraid I am lost here... how can system B talk to the agent running on system A!?

My experience with ssh-agent and multiple identities is quite different. The agent never "insists" but quickly gives up and eventually lets ssh use the "-i" key.

SSH: passwords or keys?

Posted Jan 17, 2010 13:34 UTC (Sun) by nix (subscriber, #2304) [Link]

Sorry, I missed a bit. System B can talk to system A's agent because agent
forwarding was turned on (I tend to have it on almost everywhere because
normally it's useful).

SSH: passwords or keys?

Posted Jan 17, 2010 18:08 UTC (Sun) by janfrode (subscriber, #244) [Link]

Then I hope you have complete trust in the admins and security of those boxes, as they can easily use your private keys (unless you have the agent prompt you to confirm every auth).

SSH: passwords or keys?

Posted Jan 17, 2010 22:59 UTC (Sun) by nix (subscriber, #2304) [Link]

Well, yes. I administer system A and system B in this scenario, and I
trust myself (but not system C, and agent forwarding is turned off for the
ssh to system C: but it insists on using the agent's keys anyway, even
though I specifically asked it to use a different one using -i.)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds