[Ach] Fwd: SSH Pubkey authentication?
david.durvaux at gmail.com
Mon Jan 6 21:18:54 CET 2014
I agree with Aaron. Password authentication permit open the risk to brute
Key authentication could be difficult to handle.
If a good password policy is in place (long and difficult passwords), it's
reasonable to state that password authentication is safe.
The problem is the usual one: the human. But somehow, risk is the same
with private keys and passwords. If not kept secure, you are at risk ;-).
(My personal preference is to forbid password and rely on well protected
private key ;-)).
2014/1/6 Peter van Dijk <peter at 7bits.nl>
> Hi Lorenz,
> as a point of interest, please realise that an administrator has no way to
> enforce pass phrases on private keys!
> Cheers, Peter
> On 06 Jan 2014, at 18:02 , Lorenz Intichar <lorenz at intichar.at> wrote:
> > Hi Aaron,
> > just as a matter of interest: What security-wise disadvantages do you see
> > in ssh pubkey authentication, especially with a private key password set?
> > A big advantage is (of course) that password-guessing is impossible with
> > just pubkey, a disadvantage is that the right private key has to present
> > wherever the operator is, possibly on unsafe devices like smartphones.
> > that issue is (hopefully) sufficiently addressed by password-protecting
> > the private key?
> > Best regards,
> > Lorenz
> >> Hi,
> >> Axel Hübl wrote:
> >>> Hi Lorenz,
> >>> I think promoting
> >>>> PasswordAuthentication no
> >>> is a good thing and worth to be added, too.
> >> I disagree. That's for administrators to decide if they want to use
> >> public key authentication or password auth. Both have advantages and
> >> disadvantages (security-wise and operational).
> >> Aaron
> >> _______________________________________________
> >> Ach mailing list
> >> Ach at lists.cert.at
> >> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> > _______________________________________________
> > Ach mailing list
> > Ach at lists.cert.at
> > http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> Ach mailing list
> Ach at lists.cert.at
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ach