2
So, I generated a passwordless key pair and uploaded it to all of my remote accounts. And now I can log in to all of my remote accounts with extreme ease and comfort. And so can a malicious user which (somehow) gains access to my account which has the private key (my home computer). So, why do people still use passwordless logins? It sounds like a terrible idea, keeping all of your eggs in one basket. Am I becoming paranoid? :-D
dijxtra
Posted 2012-01-03T19:21:08.310
Reputation: 193
4
Not quite sure what you're looking for here; "passwordless" logins (no password on a private key, as described in the original question) are always a bad idea, and the only situation I've seen to try and justify them (automatically logging into a non-shell account to trigger a predefined server-side script which runs any time that key is used to log in) can be replaced with much more secure manners.
However, "passwordless" logins in the conventional sense (using private/public keypair instead of keyboard interactive or password), are generally far better as long as you can keep the private key secure, which is most commonly done by encrypting the key with a password. While yes, you chose to protect your key with a password, that's not a part of the authentication as far as the system is concerned (the key itself is all that the system cares about, not what you have to do to provide it), so this is what most people refer to when they say "passwordless" logins.
Darth Android
Posted 2012-01-03T19:21:08.310
Reputation: 35 133
OK, that's what I wanted to hear. I somehow got the impression from google that passwordless ssh is a common practice and that it is not frowned upon. I see I was wrong. Thanks. – dijxtra – 2012-01-03T19:48:23.620
1Depends what you mean by "passwordless". Public-private key authentication in SSH is common practice and is far superior to password-only logins. The trick is that your private key must be protected. Most people protect this with a passphrase sufficiently complex to protect against offline brute force attacks, and use strict online protections (e.g, a well patched and monitored admin machine) to keep even the encrypted private key secret. "more secure manners" depends on the security architecture. In small environments, public-private key ssh is often the best solution. – mgjk – 2012-01-03T20:26:18.380
I'm specifically calling passwordless logins to be using a public/private keypair without a protective password on the private key, since that was the type of "passwordless" used in the original question. When referring to public/private keys as passwordless as compared to using conventional password login, then that sort of "passwordless" (using a public/private keypair) is vastly superior to a password login. @dijxtra – Darth Android – 2012-01-03T21:00:21.507
2
You shouldn't have a passwordless key that is used by a person. People who suggest that are suggest are usually being overly-lazy. Your private key should have a password, and you should use the ssh-agent to you only have to unlock the key-once.
There are some cases where a service needs remote non-interactive access to another service. In this case a password-less key may be appropriate. But this service key should almost always only be used for a single service and the account that is access should have other protections in place. For example you might setup a key to restart/manage some service on a remote system. You would not setup this key for the root-account, you would set it up to a un-privileged account, then grant only the required privileges via sudo or something else.
Zoredache
Posted 2012-01-03T19:21:08.310
Reputation: 18 453
1
A passwordless ssh key is a terrible idea, though it's probably better than using clear-text passwords. (If it needs to be used non-interactively, it can be an acceptable terrible idea, because there isn't really a good alternative, but then you have to guard the private key very carefully; see @Zoredache's answer.)
For interactive logins, the best practice is to generate a key pair with a passphrase, and use ssh-agent to hold the decrypted private key. You can use ssh-add -t ... to cause the private key to expire after a specified time.
Keith Thompson
Posted 2012-01-03T19:21:08.310
Reputation: 4 645
What default passwords or lack of thereof can lead to: http://nakedsecurity.sophos.com/2009/11/08/iphone-worm-discovered-wallpaper-rick-astley-photo/
– octosquidopus – 2012-01-03T19:26:15.277According to this answer passwordless logins are MORE secure! http://security.stackexchange.com/questions/9870/secure-ssh-passwordless-logins-more-secure
– flashnode – 2012-01-03T19:41:32.117