07-16-2008, 12:19 AM
|
 Re: Preventing Auto-Login
Nico Kadel-Garcia writes:
> On 15 Jul, 19:39, comph...@toddh.net (Todd H.) wrote:
>
>> Key based auth is actually more secure than password auth as it
>> resists brute force attacks much better. * If you've checked log files
>> for any sshd on the internet, *you know that brute force attacks are
>> out there in force!
>
> Survey says.... maybe not. Many lazy programmers use passphrase-less
> SSH keys for all sorts of inappropriate system access. And the
> behavior of ssh-keygen to allow such passwords, by default, by simply
> refusing to type in a passphrase contributes heavily to the problem,
> and to the attitude, that merely using SSH keys makes things secure.
>
> Having an unprotected SSH key is as bad as taping your password under
> your keyboard, and they're much easier to steal off of backup tapes or
> NFS shares. If you're somewhat aggressive about your site security,
> it's a good policy to check user's .ssh/ directories for password-free
> keys.
Which, if you read the rest of my post other than what you trimmed and
quoted, you'd see I agree with as well.
--
Todd H.
http://www.toddh.net/
 |