Passwdless login is infinitly better than passwd infact on my system:
PermitRootLogin without-password
with say 1024bit key and say 10^6 tries per second lets see ...
1024 log (2) / 10^6 is say 10^300 years to crack! Much better than any 10 char
passwd.
The weak link is storing YOUR private key. The rest is secure.
Infact I'll TELL you my root passwd and you still can't get in
I always thought the problem with keys and passwordless login was that
you end up with cascading exploits.
If I login from box A --> box B with keys, and someone hacks box A, then
they automatically have access to box B, and C, and D and anything else
I use keys on.
If I can hack your box, I don't even need your root passwd, I'll just
login directly to the box and it will let me straight in the front door.
With passwords, at least that isn't a problem (assuming you aren't a
complete idiot and have the same password for everything).
Adam K
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
