Re: [VM] imap-ssh and passwords

[Tim Cross]

On Wed, Oct 12, 2011 at 3:50 AM, Matthew Vernon <address@hidden> wrote:
> Hi,
>
> On 11/10/11 14:13, Uday Reddy wrote:
>
>> But, from what I have heard, using public key encryption is better for
>> security than sending passwords.  Some of my SSH servers enforce it.  Does
>> your SSH server not allow encryption-based authentication?
>
> It does, but I'd rather not allow password-less access to my mail server
> from some of the places I run VM from, and I don't think this is entirely
> unreasonable.
>
> Thanks,
>
> Matthew
>
>

I think there is a bit of confusion here.

The idea isn't to allow a password-less (or more accurately under ssh
jargon, passphrase-less) access.

With ssh, you have a number of different authentication types. The
most basic is just normal password based. This is also the less secure
method.

The preferred method is to create a public/private key pair. You place
the public key in the authorized_keys file on the remote host.
Associated with the private key is a passphrase, which ssh will prompt
for before it uses the key in authenticating connections.

To make this process a better user experience, it is common to also
setup an ssh-agent on the local host. This agent works as a key
manager. The first time you try to access the remote host, it pops up
a dialogue box and asks you for your passphrase. It then caches that
information and will allow all future connections wihtin that local
login session without again asking for the passphrase. The keys are
still used, it just doesn't ask you again to verify who you are.

However, imap over ssh is rather an older solution. Most sites now
support encrypted connections using TLS/SSL. This tends to be a more
robust and easier to setup approach. Maybe you could look into that
rather than using imap over ssh?

Tim



-- 
Tim Cross
Phone: 0428 212 217