Passphrase or not? #2

Closed
opened 3 years ago by buhtz · 17 comments
buhtz commented 3 years ago

For the documentation it is need to decide if Codeberg recommend an passphrase secured key or not.

Just say yes because it is more secure doesn't help because it is theoretical.

I would argue that a passphrase is not needed if you use different keys for different machines. If someone use/stole this key all modifications on the account and repository are logged.
If the user is aware of the stolen key it can be removed.

It is know that it lower the security if a process becomes to complex.

Is there a defined way to find consense about such questions?

For the documentation it is need to decide if Codeberg recommend an passphrase secured key or not. Just say _yes_ because it is more secure doesn't help because it is theoretical. I would argue that a passphrase is not needed if you use different keys for different machines. If someone use/stole this key all modifications on the account and repository are logged. If the user is aware of the stolen key it can be removed. It is know that it lower the security if a process becomes to complex. Is there a defined way to find consense about such questions?
Owner

@buhtz
Someone (or malware) could copy a key without you noticing. Using passwords is more secure and to unlock a key once by using an ssh-agent is not a big problem. If you have a different opinion that we could just avoid to recommend anything just state that it is more secure to have a password.

@buhtz Someone (or malware) could copy a key without you noticing. Using passwords *is* more secure and to unlock a key once by using an ssh-agent is not a big problem. If you have a different opinion that we could just avoid to recommend anything just state that it is more secure to have a password.
Poster

But when the key is copied I would automaticly notice this because I see irregular modifications in my repository.

But when the key is copied I would automaticly notice this because I see irregular modifications in my repository.
Owner

@buhtz
If you only use the key for repositories, probably. If you share keys for multiple uses (for example for ssh logins), you should definitely use passphrases.

I personally would always use passphrases since using an ssh-agent and typing in the password once per session is acceptable to me.

In other words: If I have to chose between much more security and a little more comfort, I take security.

@buhtz If you only use the key for repositories, probably. If you share keys for multiple uses (for example for ssh logins), you should definitely use passphrases. I personally would always use passphrases since using an ssh-agent and typing in the password once per session is acceptable to me. In other words: If I have to chose between much more security and a little more comfort, I take security.

@ashimokawa If a malware is able to copy the key, then the attacker could also install a keylogger which sniffs the passphrase of the key(s).
To quote from the Qubes-OS documentation:

We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then`

@ashimokawa If a malware is able to copy the key, then the attacker could also install a keylogger which sniffs the passphrase of the key(s). To quote from the [Qubes-OS documentation](https://www.qubes-os.org/doc/split-gpg/): >We should make a rather obvious comment here that the so-often-used passphrases on private keys are pretty meaningless because the attacker can easily set up a simple backdoor which would wait until the user enters the passphrase and steal the key then`
Owner

@chrisrandom
I still think that passwords are not meaningless. I mean if have them lying around on an USB stick and forget it somewhere, I feel better if they have passwords.

Also it is easier to copy someones key when he leaves his PC unattended for a few minutes than installing a keylogger and steal the key, and obtain the data from the keylogger, and matching the data from the keylogger to the password.

These arguments somehow sound to me like "I do not lock my door, because if someone wants to pry it open he will succeed anyway".

Sure, passwords wont help in many situations, but I really do not think they are useless.

@chrisrandom I still think that passwords are not meaningless. I mean if have them lying around on an USB stick and forget it somewhere, I feel better if they have passwords. Also it is easier to copy someones key when he leaves his PC unattended for a few minutes than installing a keylogger and steal the key, and obtain the data from the keylogger, and matching the data from the keylogger to the password. These arguments somehow sound to me like "I do not lock my door, because if someone wants to pry it open he will succeed anyway". Sure, passwords wont help in many situations, but I really do not think they are useless.

my previous comment was focused on the argument about the malware above. If they lying around on unprotected devices, I agree to you.

my previous comment was focused on the argument about the malware above. If they lying around on unprotected devices, I agree to you.
Poster

Currently I just added a link to this Issue here on the related wiki page.

https://codeberg.org/Codeberg/Documentation/wiki/SSH-key-for-Codeberg

I am not "Codeberg" so I am far a way from decide this. But from the viewpoint as a "simple user" I would like to have an official and reasoned recommendation about the topic.

Currently I just added a link to this Issue here on the related wiki page. https://codeberg.org/Codeberg/Documentation/wiki/SSH-key-for-Codeberg I am not "Codeberg" so I am far a way from decide this. But from the viewpoint as a "simple user" I would like to have an official and reasoned recommendation about the topic.
Owner

I guess there is no common opinion on this, but using a passphrase definitely increases account security, as it involves an additional authentication factor.

As nowadays ssh-agent-implementations for all desktop environments are pretty common, which either store+replay the passphrase auth per session, or in a keychain, in most cases having a passphrase won't even make access less comfortable.

Maybe worth linking to https://en.wikipedia.org/wiki/Ssh-agent or just paraphrasing the main points?

I guess there is no common opinion on this, but using a passphrase definitely increases account security, as it involves an additional authentication factor. As nowadays ssh-agent-implementations for all desktop environments are pretty common, which either store+replay the passphrase auth per session, or in a keychain, in most cases having a passphrase won't even make access less comfortable. Maybe worth linking to https://en.wikipedia.org/wiki/Ssh-agent or just paraphrasing the main points?
Poster

On the current state I do not use a passphrase or the agent. And I have no plan to change that - maybe later.

So I am not able to add valid informations about passphrase and the use of the agent to the wiki.

But I would recommand not to link somewhere but describe the steps in the codeberg wiki. When it is "finished" I could test - if I understand it. ;)
I would also be interested in using the passphrase/agent in combination with KeePassXC passwordmanager.

On the current state I do not use a passphrase or the agent. And I have no plan to change that - maybe later. So I am not able to add valid informations about passphrase and the use of the agent to the wiki. But I would recommand not to link somewhere but describe the steps in the codeberg wiki. When it is "finished" I could test - if I understand it. ;) I would also be interested in using the passphrase/agent in combination with KeePassXC passwordmanager.
lhinderberger added the
Kind: Documentation
Kind: Question
Kind: Security
Status: Needs feedback
labels 2 years ago

Sorry to jump in with basically no knowledge, but not understanding the whole discussion made me wondering whether the documentation should also mention what SSH keys are for, and the pros and cons of using them.

Or should it be assumed that most users know about it already? I don't know about that topic, but I'm not a programmer; I use Codeberg for my R code and I have no other IT knowledge.

Feel free to ignore my comment!

Sorry to jump in with basically no knowledge, but not understanding the whole discussion made me wondering whether the [documentation](https://docs.codeberg.org/security/ssh-key/) should also mention what SSH keys are for, and the pros and cons of using them. Or should it be assumed that most users know about it already? I don't know about that topic, but I'm not a programmer; I use Codeberg for my R code and I have no other IT knowledge. Feel free to ignore my comment!

@ivan-paleo True - this will very likely be a part of #56

@ivan-paleo True - this will very likely be a part of #56

I would recommend it.

An SSH key without a passphrase is only security through possession.

An SSH key with passphrase, on the other hand, is security through possession and knowledge.
Even if an ssh-agent is used, it is usually still secured by the user login with password (knowledge).

Furthermore, such a first key is used much longer than expected. If you have secured it with a password, it is more sustainable in the long run.

We live in a time where more and more data is synced and more and more data ends up in the cloud without encryption. A password is better.

I would recommend it. An SSH key without a passphrase is only security through possession. An SSH key with passphrase, on the other hand, is security through possession and knowledge. Even if an ssh-agent is used, it is usually still secured by the user login with password (knowledge). Furthermore, such a first key is used much longer than expected. If you have secured it with a password, it is more sustainable in the long run. We live in a time where more and more data is synced and more and more data ends up in the cloud without encryption. A password is better.

The least we can do is to make our users aware of the possibility to use a passphrase, give a short, neat summary of its benefits and thus enable each user to make an informed decision. That way we don't have to explicitly recommend anything of which we have mixed opinions.

The least we can do is to make our users aware of the possibility to use a passphrase, give a short, neat summary of its benefits and thus enable each user to make an informed decision. That way we don't have to explicitly recommend anything of which we have mixed opinions.

How do we want to proceed?

Would maybe the solution I proposed above be an acceptable compromise? 😉

How do we want to proceed? Would maybe the solution I proposed above be an acceptable compromise? :wink:

For me yes, because it is indirectly close to a recommendation.
Or we take a vote ;)

For me yes, because it is indirectly close to a recommendation. Or we take a vote ;)
Owner

The least we can do is to make our users aware of the possibility to use a passphrase, give a short, neat summary of its benefits and thus enable each user to make an informed decision.

this sounds good imo, user should be empowered to decide responsibly.

How do we want to proceed?

;) those who do have the power in a do-o-cracy ;)

> The least we can do is to make our users aware of the possibility to use a passphrase, give a short, neat summary of its benefits and thus enable each user to make an informed decision. this sounds good imo, user should be empowered to decide responsibly. > How do we want to proceed? ;) those who do have the power in a do-o-cracy ;)
lhinderberger added
Status: Help wanted
and removed
Status: Needs feedback
labels 2 years ago

In that case: PR is welcome 😉

In that case: PR is welcome :wink:
fnetX closed this issue 1 year ago
Sign in to join this conversation.
No Milestone
No Assignees
7 Participants
Notifications
Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Codeberg/Documentation#2
Loading…
There is no content yet.