On Apr 1, 2005, at 6:23 AM, Michael Stone wrote:
On Fri, Apr 01, 2005 at 01:23:09AM -0800, Chris Adams wrote:Or no passwords - if requiring public key authentication is feasible for a system you can disable password authentication entirely:I generally consider that to be a horrible idea. Instead of centrally managed password policies you now have your security entrusted to the security of all of your user's ssh keys. IME most users aren't really careful about how they handle those.
There's no difference between the two as regards policy - it's a one-line command to change either a password or key, you can audit both, etc. - and it's still game-over if the user's client is trojaned. The two advantages to keys are the fact that a key doesn't get sent to the remote host (preventing the sort of collection attacks are becoming common on large networks) and that a key is effectively longer than a password, making a direct brute-force attack impossible and protecting you somewhat from casual attacks against weak passwords: if I obtain a copy of a user's password a public-key-only policy means that I still need some sort of privileged access to their home directory to exploit it - far from impossible but significantly more work for the kiddies.
Chris
Attachment:
smime.p7s
Description: S/MIME cryptographic signature