2014-01-31 Brian <a...@cityscape.co.uk>: > On Fri 31 Jan 2014 at 07:56:29 +0100, Raffaele Morelli wrote: > > > Brian argued that a private key+allowusers does not improve security with > > respect to passwords+allowusers. > > I did :). > > > I use private key authentication with a 21 characters passphrase which is > > at minimum more secure than a 21 characters password and unless someone > > kidnaps and tortures me for the passphrase and stoles one of my boxes for > > the private key I wonder who can prove it is not. > > I think I see what you are getting at (please correct me if I am wrong). > > The passphrase protects the private key from being accessed. If there is > no access to the private key then authentication cannot take place under > any circumstances. It isn't even worthwhile trying. I agree with that. > > Because you need two things (passphrase + private key) you see this as > being more secure than a password login because any Tom, Dick or Harry > can throw passwords at sshd. Therefore this makes a password login > *intrinsically* less secure. This is what I disagree with and would like > to see some convincing evidence to support it. I hope I am not > misrepresenting your view. >
Here we go. To be more accurate, it's not that password login is less secure, it's private key + passphrase that *adds* security because of its nature. That way, even a user who picks a weak passphrase has somewhat an increased security. > The myth has arisen because of so-called "script kiddy" probes. These > are conducted on a level which is actually totally incompetent and > stands no real chance of success but their existence is used to > denigrate password logins. Even with a targeted *online* attack a good > password has time on its side, just like a key. > > I've covered the argument in other posts; you would have to be very, > very lucky to conduct a successful *online* exploit against a strong > password. > Totally agree with this, my auth.log* are full of login attempts with *stupid* user names, ridicoulus password dictionaries and root login attempts. > > C'mon, what's the matter with private key authentication and the OP > request? > > There is nothing wrong with private key authentication. There is also > nothing wrong with password authentication. You choose whichever one is > suitable for your situation based on site policy and rational grounds. /r
