On Fri 31 Jan 2014 at 07:56:29 +0100, Raffaele Morelli wrote: > Brian argued that a private key+allowusers does not improve security with > respect to passwords+allowusers.
I did :). > I use private key authentication with a 21 characters passphrase which is > at minimum more secure than a 21 characters password and unless someone > kidnaps and tortures me for the passphrase and stoles one of my boxes for > the private key I wonder who can prove it is not. I think I see what you are getting at (please correct me if I am wrong). The passphrase protects the private key from being accessed. If there is no access to the private key then authentication cannot take place under any circumstances. It isn't even worthwhile trying. I agree with that. Because you need two things (passphrase + private key) you see this as being more secure than a password login because any Tom, Dick or Harry can throw passwords at sshd. Therefore this makes a password login *intrinsically* less secure. This is what I disagree with and would like to see some convincing evidence to support it. I hope I am not misrepresenting your view. The myth has arisen because of so-called "script kiddy" probes. These are conducted on a level which is actually totally incompetent and stands no real chance of success but their existence is used to denigrate password logins. Even with a targeted *online* attack a good password has time on its side, just like a key. I've covered the argument in other posts; you would have to be very, very lucky to conduct a successful *online* exploit against a strong password. > C'mon, what's the matter with private key authentication and the OP request? There is nothing wrong with private key authentication. There is also nothing wrong with password authentication. You choose whichever one is suitable for your situation based on site policy and rational grounds. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131200614.go3...@copernicus.demon.co.uk
