| ▲ | traceroute66 an hour ago | ||||||||||||||||||||||||||||||||||||||||
> It's a total pain in the ass to try to have password encrypted gpg or ssh keys in mac. Who uses password encrypted keys anyway ? No exfiltration protection, and a sitting duck for unlimited automated password guessing attempts. Pre-Tahoe people used Yubikeys or Secretive. But now this native tool is a better option than Secretive, even if Yubikeys still have their uses for the power-users. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | fpoling 22 minutes ago | parent | next [-] | ||||||||||||||||||||||||||||||||||||||||
With an ssh agent and time-bounded key expiration one can have very strong password on the key that is convenient to use. Also password managers like 1password or Bitwarden support ssh-agent protocol so one can have a master password that protects both stored passwords and keys. | |||||||||||||||||||||||||||||||||||||||||
| ▲ | newsoftheday an hour ago | parent | prev [-] | ||||||||||||||||||||||||||||||||||||||||
> Who uses password encrypted keys anyway ? Edit: I'm not suggesting an ssh key with a passphrase (or password) is better than what the article suggests; I'm only saying that adding a passphrase (or password) to an ssh key at least buys time to address the situation while the attacker is trying to break the encryption on the stolen key. I am anti-Mac in every way, but I do use passphrase protected ssh keys so if someone were to get a copy of my ssh key, they would have to be able to break the encryption to use the key. I see a lot of devs using blank passphrases on their ssh keys, smh. > sitting duck for unlimited automated password guessing attempts. Using a passphrase on your ssh key has nothing to do with whether the ssh service is configured to allow or deny passwords. | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||