On 2011 Feb 22, at 08:04, Yves Dorfsman wrote: > > True. One pet peeve of mine is password-less ssh. For a server with protected > physical access, that's one thing, but for a user on a laptop without > encryption, please use a password. Most OSes have key management systems that > let you type your password once only, which renders the keys useless after a > reboot, and yet give you nearly the same convenience as password-less ssh.
You're confusing passwords with a form of two factor authentication (encrypted private keys.) Strong authentication, based on something you have and something you know, is a good thing. Passwords as a single factor authentication, are only exceeded by simple PINs for how insecure they are. I've heard it argued that if we would stop telling users to not write their passwords down, the users would actually start treating them like credit cards and be more secure with them. The problem is how often I see users who mistreat their credit cards, giving the numbers to other humans freely to use "just once", etc. For a user with a laptop, the last thing they should use is a password. For a user with a secured physical system, the last thing they should use is a password. Use strong authentication, and please, remember, you only have ten fingers. Something you are does not constitute a factor of strong authentication. All factors must be capable of revocation. With SSH public keys today, there is no excuse not to use public keys. Yes, those public keys should be stored encrypted so that only the holder of the passphrase can unlock them. We require any Unix based account with a password (except root) to have documentation of non-compliance and a plan to remediate. Make it easy for users to push out their new public keys. Make it easy for them to secure their keys properly. Once our users started using public key authentication, they started complaining bitterly to those SAs who tried to require traditional passwords. ---- "The speed of communications is wondrous to behold. It is also true that speed can multiply the distribution of information that we know to be untrue." Edward R Murrow (1964) Mark McCullough [email protected] _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
