Why is SSH key authentication better than password authentication


This isn't so much a technical question as it is conceptual. I understand the cryptography used in an SSH key is far stronger than a regular password, but I don't understand why it is considered more secure.

Most tutorials I read suggest using SSH key authentication rather than password authentication. But my understanding is that anyone who then has access to a pre-approved client machine will then be able to connect to the server, meaning that the level of security provided by the SSH key is only as strong as the level of security of the physical client machine.

For example, if I setup an SSH key on my phone to connect to my home machine, should I lose my phone and someone manages to unlock it, they will be able to connect to my home machine. I know I can then remove the key for my phone from my home machine, but I'm vulnerable until I realise the client device has been lost/breached.

Have I misunderstood something, or are those valid concerns?

Best Answer

If your SSH service allows password based authentication, then your Internet connected SSH server will be hammered day and night by bot-nets trying to guess user-names and passwords. The bot net needs no information, it can just try popular names and popular passwords. There's an awful lot of people named john with a password of qwerty123. Apart from anything else this clogs your logs.

If your SSH service only allows public-key authentication, an attacker needs a copy of a private key corresponding to a public key stored on the server. They can't just make random attacks, they have to have prior knowledge of your users and have to be able to steal a private key from the PC of an authorized user of your SSH server.

The fact that private keys are often protected by a long pass-phrase is of secondary significance.


As comments point out, and as I have experienced, moving your SSH service from port 22 to a high numbered port makes a dramatic difference in the number of unauthorized login attempts appearing in your logs. This is worth doing but I do regard it as a form of security by obscurity (a false sense of security) - sooner or later bot-nets will implement slow stealthy port-scanning or you will be deliberately targeted. Better to be prepared.

I always use a long pass-phrase to protect my private key, I guess this is of particular importance on mobile devices that could more easily be lost or stolen.

Also, http://xkcd.com/538/


Related Question