3 Replies to “DragonFly: client-side ssh passwords off by default”

  1. So what is it that makes key files magically so much more secure than a good old-fashioned password in everyone’s mind? So for example, at work most of my coworkers have root access because they are the admin team. They can read the contents of my .ssh directory and grab my private keys whether I like it or not. They might theoretically attempt to crack the passphrase in peace on their own hardware. Whereas if they attempt to crack my password on a remote machine, the repeated connection attempts will soon raise alarm bells and it is likely that attempts will be throttled even if not.

    Key files are only the most secure option if you trust the security of the source host.

  2. @opk

    your root-admin friends can also fetch your crypted password from /etc/master.passwd or /etc/shadow (or even LDAP) and feed it to john the ripper… so your point is a bit weak here

  3. @SolarFlame
    Taking my crypted password and cracking it won’t help them access any remote systems I ssh to. I’m not using the same password and they aren’t root on the remote systems. There are things they could do like insert key logging into the system but that would affect key passphrases just as much as passwords.

Comments are closed.