On Thu, Dec 19, 2024 at 11:36 PM <to...@tuxteam.de> wrote: > > On Fri, Dec 20, 2024 at 10:22:29AM +0700, Max Nikulin wrote: > > On 19/12/2024 15:56, Chris Green wrote: > > > Horses for courses, I enter login passwords/passphrases quite frequently > > > (lots of > > > different systems that I ssh to) long, unmemorable, passwords would be > > > useless. > > > > Generate a private key and add its public counterpart to > > ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent allows > > to authenticate on remote machines without typing the pass phrase for the > > private key for each connection. It is more secure than passwords against > > brute force attacks. > > Definitely. I was thinking specifically about passwords: what they are, how > they work. But it's clear that (asymmetric) crypto keys are worlds ahead > of passwords in terms of security, convenience (agent forwarding, anyone?) > LDAP integration and all of that. Whenever I have the choice, a SSH key it > is.
You can have public/private key crypto on the web, too. That's what FIDO/FIDO2 devices provide, like YubiKeys. See <https://docs.yubico.com/yesdk/users-manual/application-fido2/fido2-credentials.html>. Prior to FIDO{2} protocols, there were common access cards (CAC) and personal identity verification cards (PIV). They never really took off outside the enterprise and government agencies like the DoD. I personally like PIV cards because I've been using them off and on for more than a decade. (Encrypted email in high security environments is a different story. That still sucks). The browsers never warmed up to client-side [TLS] certificates, so public/private keys never really materialized on the web. There are philosophical and technical reasons for it. But the browsers are the ones that worked against it and hence, are responsible for it. (A lot of people don't realize how much damage the CA/Browser cartel has done to users of the web). Jeff
