Security of ssh key passphrases - i.e. where to save them?

Chris Green cl at isbd.net
Sun Aug 18 12:07:50 UTC 2024 

On Sun, Aug 18, 2024 at 12:11:55PM +0100, Colin Law wrote:
> On Sun, 18 Aug 2024 at 11:46, Chris Green <cl at isbd.net> wrote:
> >
> > On Sun, Aug 18, 2024 at 11:32:37AM +0100, Colin Law wrote:
> > > On Sun, 18 Aug 2024 at 11:19, Chris Green <cl at isbd.net> wrote:
> > > >
> > > > One is always told that using an ssh key with a passphrase is more
> > > > secure than using password authentication.
> > > >
> > > > Yes, it is so in the context of the login process, however that isn't
> > > > the whole story.  Where/how do you save the passphrases so that if you
> > > > forget one you can retrieve it?  The 'safe' where they are saved needs
> > > > to be as secure as the ssh protocol if the security of the ssh
> > > > protocol itself is going to be of any use at all.
> > > >
> > > > So, what do others here do?
> > >
> > > I use Bitwarden for storing all credentials.  So when used on a PC it
> > > is unlocked with a master passphrase, and on Android it is unlocked
> > > with my fingerprint.
> >
> > So it's the "single point of failure" for you.  If someone works out
> > your passphrase or grabs your phone after you've unlocked Bitwarden
> > they can access everything.
> 
> Yes, though on the phone they would have to know what they were doing,
> because if they let the phone go to sleep they would be stuck. A
> random passer by taking my phone would not achieve anything.
> 
> >
> > I'm not saying it's the wrong way to go about it, it's basically one
> > of the approaches I described, but there are risks with it.
> 
> Indeed, there is no risk free solution. I could be physically forced
> to unlock the phone with my finger, or into giving the master
> passphrase.
> 
> >
> >
> > > The database is accessible from all your devices.
> >
> > Isn't that in itself another risk?  Is the access from "all your
> > devices" as secure as ssh using a passphrase?
> 
> I don't understand your point.
> 
The data must be communicated across the internet somehow. Is that
communication as secure as using ssh?

> >
> > > It has browser plugins so that you can use it for user/pwd filling
> > > rather than the browser.  it recognises the url and offers the
> > > appropriate credentials for the page.
> > > It is excellent. I pay the $10/year for the premium version, but the
> > > free version may well be good enough for you.
> > >
> > > I don't know whether it can interact with the command line for the
> > > particular situation you describe as I don't have that issue.
> > >
> > Just about all my security relates to command line use.  I have
> > nothing on my 'phone worth stealing (no banking apps, no address list,
> > no passwords).  I do all my internet banking on my laptop and access
> > security information for that from my GPG safe storage.
> 
> Bitwarden is just an alternative to GPG safe storage, with some
> advantages and maybe disadvantages, I don't know.
> 
> Colin L
> 
> -- 
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

-- 
Chris Green

More information about the ubuntu-users mailing list