It almost goes without saying that servers should never run telnet or rlogin but rather should have SSH instead. Today’s UNIX and Linux server operating systems, whether commercial or open source, come with SSH (usually OpenSSH) installed.
The question is: is password authentication more secure than public key authentication? This question has been asked before; consider these two questions from serverfault.com, one from November 2010 and one from June 2010. The instinctive response from many will be “Of course not!” – but the question remains. What are the actual downfalls to password authentication – or are there any?
There are multiple problems that can exist with public key authentication that password adherents will point out.
Firstly, there is the possibility that a system can be compromised and the keys taken. This risk is not so high as it might sound; if you are running Linux or UNIX on the system and have it properly secured, the risk of system compromise is lower than you might think. It is also possible (and recommended) to encrypt the keys with a passphrase.
Secondly, those who recommend passwords will note that passwords exist only in your mind (as long as you don’t write it down). However, is an easily memorable password truly secure?
There are numerous advantages to using a key, including many not directly related to security: you can have different keys for different systems, and keys can be restricted in various ways by the server administrator. It is also possible to revoke access to a user without affecting any other user – no more having to tell everyone the new password after a password change.
Keys are also not susceptible to brute force attacks. A hacker can attempt to break into an SSH server by brute force by trying a variety of passwords and usernames; this is not possible with keys. This sort of attack can come from anywhere, which makes it easier for hackers to do and more likely to occur. If there are a lot of users using SSH, then the likelihood of someone using a weak password is much higher – making the risk of server compromise that much higher as well.
Passwords can also be stolen remotely. If a server is compromised, the next time you log in you may be connecting to a hacked SSH server which copies all of your passwords. If you used public key authentication, then your private key would never be seen (or compromised) by the remote server.
So how do you properly secure your private key? Here are a number of things you can do:
- Password protect your private key.
- Put the key on a removable device and remove after using.
- Put the key on an encrypted volume.
- Use ssh-agent to store the key instead of using it over and over.
If you have already created a key without a password, you can add a password by using
$ ssh-keygen -p -f id_mykey Key has comment 'id_mykey' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. $
There are a number of good sources of information on SSH – and OpenSSH in particular. Try some of these:
- Mick Bauer’s articles in Linux Journal, “The 101 Uses of OpenSSH”, Part 1 and Part 2
- The OpenSSH Wikibook
- Manual Pages from openssh.org
- Daniel Robbin’s articles on IBM developerWorks, “Common threads: OpenSSH key management”, Part 1, Part 2, and Part 3
- The book SSH: The Secure Shell and its associated web site
- An excellent article on using SSH keys from the Arch Linux wiki
4 thoughts on “Are SSH Passwords Safer than Keys?”
There is also a thing that always bugs me (although i’m a vocal supporter of key usage). Having the agent forwarded through a machine where others might have root access allows them to subvert your agent and login to another machine as you (only while you’re connected to that intermediary host, but still).
I have been looking for a way to make ssh-agent alert you whenever a key is checked, but I haven’t found yet a satisfactory method.
Technically, you can brute force keys. Granted it would take an enormous amount of resources to generate all the key material and iterate through them, still possible though.
Even with a super computer it would take thousands of years to brute force a single key.