On Tue, 15 Jul 2008 18:14:27 -0700 (PDT) Nico Kadel-Garcia wrote:
| On 15 Jul, 19:39, comph...@toddh.net (Todd H.) wrote:
|
|> Key based auth is actually more secure than password auth as it
|> resists brute force attacks much better. ? If you've checked log files
|> for any sshd on the internet, ?you know that brute force attacks are
|> out there in force!
|
| Survey says.... maybe not. Many lazy programmers use passphrase-less
| SSH keys for all sorts of inappropriate system access. And the
| behavior of ssh-keygen to allow such passwords, by default, by simply
| refusing to type in a passphrase contributes heavily to the problem,
| and to the attitude, that merely using SSH keys makes things secure.
|
| Having an unprotected SSH key is as bad as taping your password under
| your keyboard, and they're much easier to steal off of backup tapes or
| NFS shares. If you're somewhat aggressive about your site security,
| it's a good policy to check user's .ssh/ directories for password-free
| keys.

Maybe more people would do this if the agent were easier to work with.
I tried it several years ago and it really just didn't work right. No
one helped, so I gave up on it. Biggest issue (but not the only one)
was making sure each ssh client could find the agent. Something better
than an environment variable is needed.

--
|WARNING: Due to extreme spam, googlegroups.com is blocked. Due to ignorance |
| by the abuse department, bellsouth.net is blocked. If you post to |
| Usenet from these places, find another Usenet provider ASAP. |
| Phil Howard KA9WGN (email for humans: first name in lower case at ipal.net) |