Hacker News new | ask | show | jobs
by dkokelley 4981 days ago
The password is not what is used to authenticate to the ssh remote. The ssh private key is still used, it's just locked on the client side. You unlock the private key with the passphrase, and then use the unlocked (unencrypted) key to authenticate to the remote.

By using a password-free key, your private key is sitting in plain text on your local machine, which is a potential security risk.

(Apologies is your question is more nuanced than my understanding.)
1 comments
maximilian 4981 days ago
So, the private key is encrypted on the client side, which requires that the user type their key-password in, so that the client can send the private key in order to authenticate?

I generally use ssh keys so that I dont have to type my password in 50 times a day. Can this be done with a key-password, or does this defeat the entire purpose of having a key-password?

link
wiredfool 4981 days ago
You can add it to ssh-agent, and it will be kept open for new connections to use.( and, even allow you to extend the keyed login to the next hop) Some desktops will do this automatically, Some are setup to ask for the password each time.
link
jiggy2011 4981 days ago
Something I've considered doing is creating a truecrypt volume and somehow sticking all of my pre-shared keys and stored credentials in there, for SSH keys , wifi keys , lastpass & dropbox credentials etc.

So I can mount the volume and be logged automatically into everything then dismount when I'm done.

It's just the pain of rounding all of the various files up.

link
sneak 4980 days ago
Or just use ssh-agent, encrypt your key, and store everything per-file encrypted in Dropbox like everyone else does.

OSX Keychain stores wifi keys encrypted on disk with a key derived from your user account password.

The only passwords I need to remember are my for my GPG key, my ssh key, Dropbox, and 1Password. Oh, and my user account.

link
jiggy2011 4980 days ago
I'd rather not use per file encryption with dropbox because that could break syncing in big files.

The idea would be to have everything auto-login when the drive is mounted and nothing auto-login when it is not.

link