2

When one generates keys using ssh-keygen one gets prompted for a passphrase to encrypt the generated key with.

How strong should such a passphrase be, entropywise, to withstand a full-blown brute-force dictionary attack?

Also, are there any ssh configuration settings that increase or reduce the advisable strength for the passphrase? (My understanding is that the slower the encryption algorithm used, the less entropy is required to put a passphrase encrypted with this algorithm beyond the reach of any feasible brute-force dictionary attack.)

kjo
  • 1,063
  • 2
  • 9
  • 17

2 Answers2

4

It should be as resistant as a good passphrase (obligatory quote of xkcd, even though it does not relate to offline attacks (but another one does))).

The encryption mechanism used by ssh-keygen is slow - which is good. Since the answer will be changing with time as computational capacities increase, make it 25 characters long and you will be good to go for some time.

Community
  • 1
WoJ
  • 9,038
  • 3
  • 34
  • 55
  • 2
    The new OpenSSH keyfile PBE is indeed good, but only available in recent versions (hence maybe not on 'stable' distros) and (at least through 7.0) is not the default except for Ed25519 so you must specify -o. RSA, DSA, ECDSA default to OpenSSL's 'legacy' formats which are quite bad (tweaked PBKDF1 with !!ONE!! iteration), but you can use OpenSSL to convert to PKCS8 format using PBKDF2 with 2048 iterations (optionally more in trunk, planned for 1.1.0) and OpenSSH can read that even though it won't write it; that's still not as good as bcrypt. – dave_thompson_085 Dec 02 '15 at 02:00
1

The Password and the Certificate have completely different purposes and are unrelated.

  • The Key file (or certificate file) is a Cryptographic way to identify yourself with the ssh server, (a bit like a stored-password-in-a-file)
  • The password is to ENCRYPT the key file with. so not anyone that can access the file can just use it.

The idea is that you protect your key file by not sharing it with anyone! (so brute-force should not be an issue than) This can be accomplished by storing them in a Hardware-key store like the yubikey or a Nitrokey or a Smart-card or similar technology.

If you suspect someone else has your Key, Roll out a new Key!

Since they only attack you are mentioning ( a brute-force) is offline and on a file, and you did not specify a time-frame no length is safe. This should not be a problem when you use the hardware key as recommended.

LvB
  • 8,943
  • 1
  • 30
  • 47