SSH... to make a key-pair or not to make a key pair

Currently, when I ssh into my linode box, I just type "ssh " and then type in my regular linux account password. I have another account (not linode, somewhere else), however, that doesn't let me do this. Instead I had to create a public/private key pair, give the public one to the remote machine and keep the private one on my home machine. And then, when I log in to their machine, I don't use my password, but rather a passphrase I created with those keys.

What are the security trade-offs of these approaches? As I understand it, when I type "ssh ", without the key pair setup, ssh, on-the-fly, does a public key followed by symmetric key transaction.

Thanks for any help.

1 Reply

Hello!

Hopefully at some point in the past sixteen years you've found other resources to help answer this question, but in looking through our archives I discovered that your inquiry had gone unanswered! So if you haven't received any input on your question yet, I'm happy to provide some here for you. Luckily, your question, which is currently old enough to drive, is just as relevant to server security today (2020) as it was when you asked in 2003.

While you are able to log into your Linode with just a root user login and password, we strongly recommend setting up a public/private key pair, so much so that we even have a whole guide that covers how to do so. The security trade-off is that an ssh key is much harder to duplicate than a password input, and is much harder to brute force.

Further, our "Securing A Server" guide instructs users on how to eliminate password and passphrase inputs entirely, offering further protection from brute force attempts.

I hope this helped clarify the strengths of an authentication key setup, and we thank you for being such a long-standing member of the Linode community!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct