| ▲ | greatgib 2 hours ago |
| It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac. Nothing better that another way to make it even more painful and complicated, so that people will just store plain text keys to not be annoyed. |
|
| ▲ | tiltowait 9 minutes ago | parent | next [-] |
| I've used password-encrypted keys on a Mac plenty of times. It was easy to add them to the SSH agent to not require a password after initial authorization, if that's what I wanted. What is the issue I'm not seeing? |
|
| ▲ | traceroute66 an hour ago | parent | prev | next [-] |
| > It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac. Who uses password encrypted keys anyway ? No exfiltration protection, and a sitting duck for unlimited automated password guessing attempts. Pre-Tahoe people used Yubikeys or Secretive. But now this native tool is a better option than Secretive, even if Yubikeys still have their uses for the power-users. |
| |
| ▲ | fpoling 20 minutes ago | parent | next [-] | | With an ssh agent and time-bounded key expiration one can have very strong password on the key that is convenient to use. Also password managers like 1password or Bitwarden support ssh-agent protocol so one can have a master password that protects both stored passwords and keys. | |
| ▲ | newsoftheday an hour ago | parent | prev [-] | | > Who uses password encrypted keys anyway ? Edit: I'm not suggesting an ssh key with a passphrase (or password) is better than what the article suggests; I'm only saying that adding a passphrase (or password) to an ssh key at least buys time to address the situation while the attacker is trying to break the encryption on the stolen key. I am anti-Mac in every way, but I do use passphrase protected ssh keys so if someone were to get a copy of my ssh key, they would have to be able to break the encryption to use the key. I see a lot of devs using blank passphrases on their ssh keys, smh. > sitting duck for unlimited automated password guessing attempts. Using a passphrase on your ssh key has nothing to do with whether the ssh service is configured to allow or deny passwords. | | |
| ▲ | lloeki an hour ago | parent | next [-] | | > whether the ssh service is configured to allow or deny passwords. Given the consistent use of "password" instead of "passphrase", I think they meant an exfil'ed encrypted key is vulnerable to no-rate-limit bruteforcing, in contrast with hardware-backed keys. | | |
| ▲ | newsoftheday an hour ago | parent [-] | | Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to. They don't need to even break encryption since the key has none if none has been applied. My stance is simply, at least add a passphrase to the key (though some call it a password). | | |
| |
| ▲ | Xylakant an hour ago | parent | prev [-] | | The parent means that an attacker has unlimited attempts at breaking the passphrase on an exfiltrated key. Once the key passphrase is broken, they can log in using the key. | | |
| ▲ | newsoftheday an hour ago | parent [-] | | Right, but my context is that devs often use no passsphrase at all. If someone can get a copy, they have instant access to whatever it has access to. |
|
|
|
|
| ▲ | manuelabeledo an hour ago | parent | prev | next [-] |
| This looks like the complete opposite, though? It’s easy and provides a convenient way to integrate SSH and TouchID. |
|
| ▲ | newsoftheday an hour ago | parent | prev [-] |
| > It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac I'm anti-Mac but for the year recently that I had to use one at work, no choice...I had no issues, none, using gpg or using a passphrase on my ssh keys. |
