Comments on: DragonFly: client-side ssh passwords off by default

By: opk

opk — Sat, 21 Oct 2017 13:42:35 +0000

@SolarFlame
Taking my crypted password and cracking it won’t help them access any remote systems I ssh to. I’m not using the same password and they aren’t root on the remote systems. There are things they could do like insert key logging into the system but that would affect key passphrases just as much as passwords.

By: SolarFlame

SolarFlame — Sat, 21 Oct 2017 10:03:12 +0000

@opk

your root-admin friends can also fetch your crypted password from /etc/master.passwd or /etc/shadow (or even LDAP) and feed it to john the ripper… so your point is a bit weak here

By: opk

opk — Sat, 21 Oct 2017 00:15:06 +0000

So what is it that makes key files magically so much more secure than a good old-fashioned password in everyone’s mind? So for example, at work most of my coworkers have root access because they are the admin team. They can read the contents of my .ssh directory and grab my private keys whether I like it or not. They might theoretically attempt to crack the passphrase in peace on their own hardware. Whereas if they attempt to crack my password on a remote machine, the repeated connection attempts will soon raise alarm bells and it is likely that attempts will be throttled even if not.

Key files are only the most secure option if you trust the security of the source host.