On Friday 6 May, 2011 05:15:23 Brian wrote:
What you're missing is the difference between someone trying to hack from the
client machine... and a remote script trying to brute-force your server. Big
difference.
No I'm not. But please explain the difference, bearing in mind the
complete ineffectiveness of remote scripts and the length of time needed
to guess even a 15 character password.
Yes. You are.
To allow passwords for remote login, makes it possible for every SSH worm crawling around out there to try and try until it gets it right. And there are lots of them. And no, they -are- effective.
To disable passwords on the server and use a key, means you are asked for a password at the client, to open the key, and then once authenticated the key goes on to authenticate with the server. Scripts banging away passwords on the server can never succeed. Users on the client machine must have the key's password or they can't use it.