Hacker News new | ask | show | jobs
by codys 2456 days ago
I think the confusion here might be a lack of clear distinction in the discussion between "ssh password auth" and "ssh pub key auth".

My impression is that the result of some of the design decisions might make "ssh pub key auth" work less often. IOW: one would need to login via password auth before pub key auth would work.

The alternate ("somehow have pubkey auth work and then ask for a crypto password") sounds like it would need some work and it isn't clear how useful it would be: if I'm already needing to enter a password anyhow, why bother with the previous pubkey auth?

As discussed elsewhere, it's plausible that some mechanism could be developed to use the ssh key material (or some other stored key material) to have the unlocking happen without manual password entry, but that would require some additional development.

Really, all this boils down to is that "login mechanisms aren't quite flexible enough", and the presentation touches on this to some extent as well.
1 comments
michaelmrose 2455 days ago
I read that you would have to physically log into your machine in order to mount home but ssh login including via public key auth would work thereafter.

Public key ssh login at a machine you hadn't sat down and logged in would fail in the same fashion as one would expect if the home partition was absent.

This would seem to be passable in many cases right up until you have to reboot the machine for some reason and its no longer possible to login.

There is good reason to prefer a public key vs password. Pubkey auth means you aren't entering anything over the wire that can be intercepted and nobody can guess or use your password if they knew it to access your local system.

For example someone who shoulder surfed your password couldn't gain the ability to log into your machine from across town.

If they shoulder surfed your passphrase/password and then stole your physical machine they would of course have everything they needed in a typical configuration even with encryption. You could of course go further and require a keyfile AND a passphrase and hope it is harder to say steal a small usb device on your keychain and your computer than just your computer.

At this point it really looks like you are defending against a targeted attack on your data rather than simple theft.

link