On Fri, Jan 28, 2005 at 11:57:42AM -0800, [EMAIL PROTECTED] wrote:I just authenticate with a password and don't require keys.
If no RSA then aren't you sending your password in the clear?
I don't believe so. My understanding is that ssh establishes a secure communication channel _before_ sending your username, let alone passwd. Then if the machine doesn't like you, it breaks the connection.
Due to the large number of username/password guessing probes that I've been seeing (thanks to logwatch) on my home system, I've disabled password authentication altogether.
I have a new policy of internet-connected hosts that belong to me of configuring sshd with a minimum of:
Protocol 2 PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no
... in addition to whatever the defaults provided by the system's install of ssh happen to be.
This works for me because I've installed the pubkeys for both my notebook and my workstation at the office on my machines. It makes me feel better knowing that password authentication can't be brute-forced now, since it's turned off.
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
--
KPLUG-List mailing list [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
