what is the difference between ext , extssh , pserver , pserverssh2 connection types?

I have used pserver by default ( don't think it is encrypted i.e send files over the wire in plain texted )

So I then switched to pserverssh2 which I assume is connecting to port 22 first sort of like a ssh tunnel to my repo. (needed openssh installed for this)

But what is ext , and extssh ??? And when would you use these over the others???

Note: I am using cvs thru eclipse and those are the only allowable selections for cvs connection type.

 

ext and extssh are Eclipse only connections/proprietary, it may or may not be enabled on the CVS server. I'd suggest using pserverssh2 for authentication and encryption, that way your credentials aren't sent over the line in plaintext.

You could also use a signed key with ssh2, so it logs in using your key, but you have to locally enter a password to unlock your key to be sent. This is a bit more secure than key only, since if you lose an un-protected key, anybody could use it to wreak havoc.

pserver is plaintext
pserverssh2 is encrypted with ssh version 2
ssh is connection using ssh version1, but that's not one of your options.

The most secure authentication is "Something You have + Something you know", which would be key and password.

Other authentications use either something you have, or something you know, or a sequence generator (keyfob). Adding the password makes it much harder for an attacker to gain access.

 

The most secure authentication is "Something You have + Something you know", which would be key and password.

Partially agree with this
What about something you are biometrics

Anyway what I read about extssh is it is an eclipse built-in ssh client
And ext was if you wanted to use an external ssh client I believe.

But I am using pserverssh2 and I had to install openssh to use it. But I am wondering if I used extssh would I not have to download/install openssh since what I read is it is using a built-in ssh client in eclipse.

You could also use a signed key with ssh2, so it logs in using your key, but you have to locally enter a password to unlock your key to be sent. This is a bit more secure than key only, since if you lose an un-protected key, anybody could use it to wreak havoc.

Are you talking about using ssh-keygen here?

 

Yes, ssh-keygen will allow you to add a passphrase to your key. Many people think a password free key is best, since they don't like to type, but I strongly recommend password protected keys. Actually phrase protected, such as a quote from a movie or book, preferably with punctuation and numbers.

As for "Something you have", yes, fingerprints, iris patterns, retinal patterns, flash drives, sequence generator keyfobs are all "Something you have", some are just more permanent. It would suck to forget the passphrase to your retinal pattern, though.

 

Wait, I don't totally understand the benefits of pass-phrases?

the public/private key that ssh-keygen generates is put in the /etc/ssh folder

looking at the permissions

-rw-r--r-- 1 root root 125749 2011-04-02 06:16 moduli
-rw-r--r-- 1 root root   1669 2011-04-02 06:16 ssh_config
-rw-r--r-- 1 root root   2489 2011-12-12 16:11 sshd_config
-rw------- 1 root root    672 2011-12-12 16:11 ssh_host_dsa_key
-rw-r--r-- 1 root root    600 2011-12-12 16:11 ssh_host_dsa_key.pub
-rw------- 1 root root    227 2011-12-12 16:11 ssh_host_ecdsa_key
-rw-r--r-- 1 root root    172 2011-12-12 16:11 ssh_host_ecdsa_key.pub
-rw------- 1 root root   1675 2011-12-12 16:11 ssh_host_rsa_key
-rw-r--r-- 1 root root    392 2011-12-12 16:11 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root    302 2011-01-10 13:48 ssh_import_id

Only root has rw privilege where the group can only read the public key and never even view the private keys.

So you are only giving out the public so how does pass-phrases strength the authentication process?

If it is just encrypting the .pub or private key files then this wouldn't make any difference assuming the root or somebody that had privilege to read the files never divulged the private info.


Maybe I am miss understanding you when it comes to pass-phrases

 

If you carry the .pub key around on a flash drive, like I do, you can connect from anywhere.

If you are using cvs on the local system via console or ssh, then it doesn't really matter, if the system is compromised, then it is compromised.

 

No I meant this

Yes, ssh-keygen will allow you to add a passphrase to your key. Many people think a password free key is best, since they don't like to type, but I strongly recommend password protected keys. Actually phrase protected, such as a quote from a movie or book, preferably with punctuation and numbers.

Is the passpharse just encrypting the public key file so if you but it on a usb drive.
And if somebody happened to get the usb they couldn't even see the public key???

Because I don't get where pass-phrases use is going to strength anything.

Do you have any example that we can talk thru

 

If you are carrying a registered key for ssh, and a user knows what system that key allows access to, they only need to plug in thumb drive and use the key for authentication.

If the key has a password on it, whoever found the drive would need to know the passphrase to use the key.


In my case, they'd need to know the TrueCrypt password to get to the hidden volume that holds my keys first, which most wouldn't even bother with, as it's 2MB of a 32G drive.

 

In my case, they'd need to know the TrueCrypt password

If you where encrypting the whole HDD then what would be the point of using ssh-keygen with a pass-phrase anyway?

Since they would have to decrypt the drive and if they could do that then you have bigger problems then them stealing a public key.

 

If you where encrypting the whole HDD then what would be the point of using ssh-keygen with a pass-phrase anyway?

Since they would have to decrypt the drive and if they could do that then you have bigger problems then them stealing a public key.

I guess I have to plead paranoia on that one.