On Tue, 2 Feb 2010, Charles Curley wrote: > Setting up public key auth is as simple as getting the users' public > keys onto the servers so they can log in, and verifying the correct > permissions. One public key per user you expect them to use. > > Using passwords means the passwords are sent over the net using weak or > no encryption.
Is that true? I don't think it is, for ssh. Passwords are always sent over the ssh tunnel using the same strong encryption that's used for the rest of the ssh conversation. They are as secure against 3rd-party snooping as anything else about the ssh session. The weakness with password authentication is that the server receiving the password can be modified to store the plaintext password, which if it was used for other accounts or servers, can be used to login elsewhere without authorization. Public-key cryptography avoids this weakness. Passwords are also much more likely to be guessed in a brute-force attack than ssh secret keys (aside from the Debian OpenSSL fiasco of 2008!). But the passwords are safe enough during transit. Jon -- Jon Jensen End Point Corporation http://www.endpoint.com/ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
