On 15 Jul, 19:39, comph...@toddh.net (Todd H.) wrote:

> Key based auth is actually more secure than password auth as it
> resists brute force attacks much better. * If you've checked log files
> for any sshd on the internet, *you know that brute force attacks are
> out there in force!

Survey says.... maybe not. Many lazy programmers use passphrase-less
SSH keys for all sorts of inappropriate system access. And the
behavior of ssh-keygen to allow such passwords, by default, by simply
refusing to type in a passphrase contributes heavily to the problem,
and to the attitude, that merely using SSH keys makes things secure.

Having an unprotected SSH key is as bad as taping your password under
your keyboard, and they're much easier to steal off of backup tapes or
NFS shares. If you're somewhat aggressive about your site security,
it's a good policy to check user's .ssh/ directories for password-free
keys.