On Tue, 2 Feb 2010 23:09:14 -0500 (EST) Jon Jensen <[email protected]> wrote:
> On Tue, 2 Feb 2010, Charles Curley wrote: > > > Setting up public key auth is as simple as getting the users' > > public keys onto the servers so they can log in, and verifying the > > correct permissions. One public key per user you expect them to use. > > > > Using passwords means the passwords are sent over the net using > > weak or no encryption. > > Is that true? I don't think it is, for ssh. Passwords are always sent > over the ssh tunnel using the same strong encryption that's used for > the rest of the ssh conversation. They are as secure against > 3rd-party snooping as anything else about the ssh session. You are correct, thank you. I spoke from old or incorrect information. > > The weakness with password authentication is that the server > receiving the password can be modified to store the plaintext > password, which if it was used for other accounts or servers, can be > used to login elsewhere without authorization. Public-key > cryptography avoids this weakness. Passwords are also much more > likely to be guessed in a brute-force attack than ssh secret keys > (aside from the Debian OpenSSL fiasco of 2008!). But the passwords > are safe enough during transit. Correct. -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
