Hacker News new | past | comments | ask | show | jobs | submit login

I like being able to log into my server from anywhere without having to scrounge for my key file, so I end up enabling both methods. Never quite saw how a password you save on your disk and call a key is so much more secure than another password.



This is definitely a common fallacy. While passwords and keys function similarly via the SSH protocol, there's two key things that are different. 1, your password is likely to have much lower entropy as a cryptographic secret (ie: you're shooting for 128 bits of entropy, which takes a pretty gnarly-sized password to replicate), and 2. SSH keys introduce a second layer of trust by virtue of you needing to add your key ID to the system before you even begin the authentication challenge.

Password authentication, which only uses your password to establish you are authentically you, does not establish the same level of cryptographic trust, and also does not allow the SSH server to bail out as quickly, instead needing to perform more crypto operations to discover that an unauthorized authentication attempt is being made.

To your point, you are storing the secret on your filesystem, and you should treat it accordingly. This is why folks generally advocate for the use of SSH Agents with password or other systems protecting your SSH key from being simply lifted. Even with requiring a password to unlock your key though, there's a pretty significant difference between key based and password based auth.


I’ve seen lots of passwords accidentally typed into an IRC window. Never seen that happen with an SSH key.


I heard that if you type your password in HN it will automatically get replaced by all stars.

My password is **********

See: it works! Try it!


So if I type hunter2 you see ****?


A few more things:

An SSH key can be freely reused to log in to multiple SSH servers without compromise. Passwords should never be reused between multiple servers, because the other end could log it.

An SSH key can be stored in an agent, which provides some minor security benefits, and more importantly, adds a whole lot of convenience.

An SSH key can be tied to a Yubikey out of the box, providing strong 2FA.


Putting aside everything else. How long is your password vs how long is your key?


It's this, plus the potential that you've reused your password, or that it's been keylogged.


It's more secure because it's resistant to MITM attacks or a compromised host. Because the password is sent, the private key isn't.


My home IP doesn’t change much so I just open ssh port only to my own IP. If I travel I’ll add another IP if I need to ssh in. I don’t get locked out because I use VPS or cloud provider firewall that can be changed through console after auth/MFA. This way SSH is never exposed to the wider internet.


Another option is putting SSH on an IP on the wireguard only subnet.


I've recently done this for all my boxes, but tailscale over barebones wireguard. So fucking awesome. I just run tailscale at all times on all my boxes, all my dns regardless of what network i'm on goes to my internal server that upstreams over tls. It's great, and tailscale is a snap to set up.


Use TOTP (keyboard-interactive) and password away!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: