Date: Tue, 24 Oct 2006 21:58:58 -0500 From: Josh Paetzel <josh@tcbug.org> To: freebsd-questions@freebsd.org Cc: Jeff MacDonald <bignose@gmail.com>, Atom Powers <atom.powers@gmail.com> Subject: Re: a simple questions about sshd and PasswordAuthentication Message-ID: <200610242158.59083.josh@tcbug.org> In-Reply-To: <df9ac37c0610241954q7d9d5decya7413dd44fafc5c9@mail.gmail.com> References: <f17daf040610241940g7daa4552xb62f84fd4061607a@mail.gmail.com> <df9ac37c0610241954q7d9d5decya7413dd44fafc5c9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 24 October 2006 21:54, Atom Powers wrote: > On 10/24/06, Jeff MacDonald <bignose@gmail.com> wrote: > > Is there anything inherintaly dangerous or wrong about enabling > > PasswordAuthentication in sshd_config ? > > > > I understand how public keys are better and everything else. And > > I do use them. I'm just curious. > > There are many arguments for and against, but /inherintaly/ they > are the same. You are comparing your secret to the secret stored on > the server. Keys just tend to be much longer secrets, and are also > more difficult to change. I don't know about that. With password authentication someone has to guess a valid username and password. With key authentication someone has to guess a valid username, key, and passphrase. While I have boxes that experience thousands of password based brute force attempts a day I don't recall anyone ever bothering to try and brute-force a key. My personal opionion is that if you are using key-based authentication you are for all practical purposes invulnerable to brute-forcing. The only way someone is going to get in is via an exploit in ssh or by stealing the key and passphrase from a valid user. -- Thanks, Josh Paetzel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610242158.59083.josh>