Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- requiring both password and rsa
November 4, 2003, 10:02 am
rate this thread
OpenSSH's sshd? I see some references to patches, but cannot follow
what is recommended. Is it in the base release now?
If someone walks off with another's laptop, the private key is stolen,
so a combination of what-you-know with what-you-have is required.
Re: requiring both password and rsa
be stolen, but assuming that it has a non-trivial password on it, the
attacker is not going far in any short period of time. Regardless of
whether you had an extra "system" password for ssh or not, once the
private key has been stolen, you are going to need to regenerate the
public / private key pair because it is now suspect. If your procedures
for this situation are timely, the attacker is very unlikely to have had
time the "crack" the private key.
Further than that, if the password has already been compromised on the
private key, for example using a key logger, what extra protection will
a system password afford you as this password could be compromised using
the same method?
private key = what you have
private key password = what you know
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum