Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Thoughts on Public Key versus Password authentication

9 views
Skip to first unread message

Chris Green

unread,
Sep 17, 2020, 4:48:05 AM9/17/20
to
All these recent questions about connecting from a laptop to a home
(desktop) machine bring me back to my original reasons for using
password authentication rather than Public Key authentication.

My original (and still valid) reasoning was as follows:-

Password authentication will *always* ask for the password, there's no
equivalent of a key agent. So, if I leave my laptop lying around and
turned on (I often do), as long as I log out from the connections to
the home desktop machine someone else can't access my home desktop
unless they know the password.

Public Key authentication doesn't (by default, using an agent) provide
this security, once the key passphrase has been entered anyone with
access to my laptop can connect to my home machine.

Yes, there are ways to reduce the risk with Public Key authentication
but I don't see any major advantages in the underlying security so
what's to be gained.

A remote user (i.e. someone at my laptop) can't brute force the
password as the increasing delays on entering an incorrect password
prevent this. So, if the password is sensibly secure, I see no major
security problem.

Unauthorised access to my desktop machine is far more likely to be due
to overlooking some obvious 'design' fault than to someone breaking my
password IMHO.

Thoughts anyone, am I missing anything obvious (quite likely!)?

--
Chris Green
·

Richard Kettlewell

unread,
Sep 17, 2020, 10:09:31 AM9/17/20
to
I think your threat model here is someone entering commands on a
computer that you’ve temporarily left unattended. If so then the thing
you’ve missed is that the attacker can install a keylogger and capture
your password next time you use it.

That threat applies to password-protected keys as well, of course; at
best it may take a little longer since you may type that passphrase less
often.

--
https://www.greenend.org.uk/rjk/

Chris Green

unread,
Sep 17, 2020, 11:18:04 AM9/17/20
to
Good point, though it's fairly unlikely isn't it? The intruder has to
find my computer unnatended and happens to have a Linux aware key
logger available (presumably on a stick) and the means to install it.
However I guess people who are likely to have that sort of thing will
also have them on an 'easy to install quickly' medium of some sort.

Thanks for that though, it's in the "missing anything obvious" line of
things! No matter how secure your password/passphrase is a key-logger
will reveal it.

--
Chris Green
·

Richard Kettlewell

unread,
Sep 17, 2020, 4:44:58 PM9/17/20
to
Chris Green <c...@isbd.net> writes:
> Richard Kettlewell <inv...@invalid.invalid> wrote:
>> I think your threat model here is someone entering commands on a
>> computer that you’ve temporarily left unattended. If so then the thing
>> you’ve missed is that the attacker can install a keylogger and capture
>> your password next time you use it.
>>
>> That threat applies to password-protected keys as well, of course; at
>> best it may take a little longer since you may type that passphrase less
>> often.
>
> Good point, though it's fairly unlikely isn't it? The intruder has to
> find my computer unnatended and happens to have a Linux aware key
> logger available (presumably on a stick) and the means to install it.
> However I guess people who are likely to have that sort of thing will
> also have them on an 'easy to install quickly' medium of some sort.

It doesn’t need to be any more complex than:
curl some.url | bash

--
https://www.greenend.org.uk/rjk/

Chris Green

unread,
Sep 18, 2020, 4:18:05 AM9/18/20
to
True. :-)

--
Chris Green
·

Grant Taylor

unread,
Sep 18, 2020, 11:43:26 AM9/18/20
to
On 9/17/20 2:44 AM, Chris Green wrote:
> Public Key authentication doesn't (by default, using an agent) provide
> this security, once the key passphrase has been entered anyone with
> access to my laptop can connect to my home machine.

I'm not quite sure how to unpack "by default, using an agent". Are you
referring to the agent's default behavior or that you are using an agent
by default?

Have you looked at the "-t <seconds>" option to adding keys to the agent?

My understanding is that you can make keys via agent behave as if they
only exist in the agent for the specified number of seconds.

This makes me think that if your keys had a passphrase on them and that
the number of seconds since added had expired that you would be prompted
for the passphrase for the key again.

I think that you might be able to get the ssh agent to behave somewhat
like sudo in that it remembers you for a specified amount of time.



--
Grant. . . .
unix || die

Chris Green

unread,
Sep 18, 2020, 2:03:05 PM9/18/20
to
Yes, you can do that, but it only gets you back to the same place as
password authentication gets you to by default.

--
Chris Green
·

Grant Taylor

unread,
Sep 18, 2020, 4:35:41 PM9/18/20
to
On 9/18/20 11:58 AM, Chris Green wrote:
> Yes, you can do that, but it only gets you back to the same place as
> password authentication gets you to by default.

It's not quite the same place.

You can use the key for multiple connections for the key's lifetime.

So if you set the lifetime to be 15 seconds, then any background use,
e.g. ProxyJump, will benefit from it.

Chris Green

unread,
Sep 19, 2020, 5:33:05 AM9/19/20
to
Yes, but that effectively reduces security still - when I used password
authentication the proxy machine had a different password so an
intruder had to know two passwords.

I could, of course, implement the same with Public Key but that
removes the 'advantage' you offer above. :-)

--
Chris Green
·
0 new messages