i assume you have setup public-private-key-authentication and tested its workings and tightened security to only allow public-private key auth of specific non-root users.
giving a passphrase seems like a good idea – because it will protect your key (if passphrase is sufficiently strong) if it get’s stolen.
So even if somebody manages to hack into your client and steal your private ssh-key – they won’t be able – unless they capture your passphrase.
downside: you can’t (well) automate processess that use ssh for backup purposes such as rsync every monday at 00:00 o’clock this folder to this server – if a passphrase is in use.
if you have given your private key a passphrase… great – more secure your connections are.
BUT! conveniance just has gone done – you need to type your passphrase every time you want to make that ssh connection.
IT-security seems to always be to find a good balance between conveniance and security
it is conveniant to give everybody access to everything… but in the end you will have some evil ransomeware asking you for money to restore your files.
you could do it like this – keep your ssh key on an (truecrypt-encrypted? 😀 (not 100% plausible denyability… (they can tell there is something on the stick besides music, but atleast encrypted) stick that you wear like a neckless:
add user to client and server
as said the same user needs to exist on client and server
# add user (Debian/Ubuntu, Fedora/RedHat/CentOS7, Suse12) # and create hom directory useradd -m username; # assign password passwd username; # debian uses sh per default # change default loginshell of user to bash usermod -s /bin/bash username;
is there any key-size-limit?
2048Bits is default, 4096Bits is in use.
8192Bits (8*1024) have 16384Bits (16*1024) and been tested and should work.
uname -a Linux debian 3.16.0-4-686-pae #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) i686 GNU/Linux ssh -V OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016 ssh-keygen -t rsa -b 4096; # generate a 4096Bit long-strong key # from the manpage: -b bits Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. ED25519 keys have a fixed length and the -b flag will be ignored. # what about 1024*8 = 8192 ? ssh-keygen -t rsa -b 8192 # generate a 8192Bit long-strong key? # works just the same (takes longer to generate though) Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:CMaKLUUoJTqQEcc09tTv3N+RlWSX1NZBSiQqB340T30 user@suse The key's randomart image is: +---[RSA 8192]----+ |=OB .. . o oooo+=| |*=.= o o = o..E=| |+ . = + + . .+.o| | = o . .= ..| |o o .oS. o | | . o . o | | . . . | | . . | | | +----[SHA256]-----+ wc -l ~/.ssh/id_rsa 99 /home/user/.ssh/id_rsa; # it has 99 lines # what about 1024*16 = 16384 ? - just in case dwave and the CIA get serous about quantum computing :-p ssh-keygen -t rsa -b 16384 # generate a 16384Bit long-strong key? # works just the same (takes waaaaaaay longer to be generate though) # expect one cpu core to go 100% for the next 10 minutes :-D - the RAM usage is only 3.8MBytes Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:mXqdzMlbq+JMZ4ifZF3MIcaatHvRLkIL1w2UHEitqVo user@suse The key's randomart image is: +---[RSA 16384]---+ | ..+oo | | .o+ | | .o= . | | .oO B . | | ..S o * | | E* X * | | oo X & o | | . B.* + . | | .=.o.. | +----[SHA256]-----+ wc -l ~/.ssh/id_rsa 195 /home/user/.ssh/id_rsa; # now double the size :-D scp ~/.ssh/id_rsa.pub 172.20.0.12: # uploading key to test-server running debian8.7 firstname.lastname@example.org's password: id_rsa.pub 100% 2783 2.7KB/s 00:00 # switching over to ssh-server cat id_rsa.pub >> ./.ssh/authorized_keys; # attaching public RSA 16384 key to authorized_keys # when you are done testing key lengths # on the client and server side you need to do chown -R user:user /home/user/.ssh chmod 700 /home/user/.ssh # server side only # this is where the public key goes chmod 600 /home/user/.ssh/authorized_keys # switching over to ssh-client # a simple ssh -v email@example.com # should get you logged into ssh server The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No mail. Last login: Fri May 5 12:13:53 2017 from 172.20.0.7 # works like a charm :) user@debian:~$
speed with larger keys
more cpu is needed – but in general probably bandwidth is the limiting factor if you operate over the internet.
# 4096Bits RSA key scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 41.0MB/s 00:25 [user@centos ~]$ scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 41.0MB/s 00:25 [user@centos ~]$ scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 41.0MB/s 00:25
user@suse:~> scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 36.6MB/s 00:28 user@suse:~> scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 37.9MB/s 00:27 user@suse:~> scp 1gybe.testfile 172.20.0.12: 1gybe.testfile 100% 1024MB 37.9MB/s 00:27
passphrase session-cache – ssh-agent
„ssh-agent is a program to hold private keys used for public key authentication (RSA, DSA, ECDSA, Ed25519).
ssh-agent is usually started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.
Through use of environment variables the agent can be located and automatically used for authentication when logging in to other machines using ssh(1).“
You can actually cache-per-session your passphrase with the ssh-agent.
it works like this:
ssh-add -l; # list all cached passphrases (none) The agent has no identities. eval $(ssh-agent); # will setup environment variables Agent pid 2349 ssh-agent; # gives some info about ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cvnht9zt5ehE/agent.2359; export SSH_AUTH_SOCK; SSH_AGENT_PID=2360; export SSH_AGENT_PID; echo Agent pid 2360; ssh-add; # cache passphrase of current logged-in user Enter passphrase for /home/user/.ssh/id_rsa: Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa) ssh-add -l; # reports that one passphrase has been cached 8192 SHA256:5Co8zddjNGPr1dXrdOKR5bRv78KtD/Hnrn8Z9D/ocQk /home/user/.ssh/id_rsa (RSA) user@suse12:~/.ssh> ssh debian8; # you should be able to automatically login, without beeing asked for a passphrase during your whole session, this also works in sub-shells until you completely log-off/out of your system
ssh and security – https://linux-audit.com/audit-and-harden-your-ssh-configuration/