On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > On Tue, 28 Jan 2014 18:42:34 +0000 > Brian <a...@cityscape.co.uk> wrote: > > > The AllowUsers directive is a legitimate way to restrict ssh logins to > > certain users. However, I do not see what (ssh keys + AllowUsers) > > brings to the party that (password + AllowUsers) doesn't. > > A key (if kept secret) is even harder to "guess" than a > password,
I'd like to see a complex, random, high-entropy 20 character password which is guessable (or capable of being cracked) in a timeframe which has some significance. I'll give you "even harder" but it is of no great consequence if you consider the situation where an online subversion of a user's account is being attempted and a good password is in place. > also it's not "ssh keys + AllowUsers" it's (or should be) > "ssh key + key pass-phrase + AllowUsers". The key pass-phrase is never seen by the server; it plays no part in an ssh login. You may think it does but the server doesn't. ssh keys + AllowUsers and password + AllowUsers are equally as secure. Allowusers does what it says. It may be a requirement of the site being accesssed but it plays no part in the security underlying an ssh login, There are security advantages to logging in with ssh keys; the strength of a key isn't one of them. However, ssh key proponents never seem to mention them. They instruct: "Use private key authentication"; no explanation, no justification, nothing to indicate why it might be more appropriate for the situation under discussion. It's as though they are mesmerised by the number of bits which a key can contain. To return to the original point of this thread: logging in as root with a key or with a password carries the same risk. I would say it is close to zero in both cases. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140130202637.gn3...@copernicus.demon.co.uk
