On Tue, Jan 28, 2014 at 08:37:57PM +0000, Brian wrote: > On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote: > > > Thanks Brian, I ended up removing openssh-server, as it was not > > something I needed; it was automatically installed and set up to run as > > a "feature" of the live CD I used to install Debian with (installed as > > part of the "live-tools" package). Fortunately I came across the posting > > that alerted me to this, and have removed it from both of my machines. > > Removing software which runs as a daemon is good practice. Why have a > process listening for external connections when it is unnecessary? > > > If I end up using openssh in the future I will definitely use a private > > key, though. > > Another battle lost. :) > > But ssh keys are great for some situations. The problem is their > advocates never describe what the situations are and it is too often a > case of being instructed to "use a ssh key". The downsides to a ssh > key are left unsaid and the impression is given that a password login is > naff and insecure. The pros and cons of an ssh key login are rarely > disussed by these advocates, > > I'll just end by reminding you that your ssh key might be stored on a > USB stick. Forget the stick and you don't get to access your account. > Passwords are in your memory and, fallible though it might be, it is > usually accessible. In the last resort the password could come to you > in a dream. :)
Moreover, all intrusions in open source projects (through ssh) like kernel's git in 2011 or Fedora's repos occurred as a consequence of stealing private keys instead of password guessing. Also, "SSH: passwords or keys?" - http://lwn.net/Articles/369703/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140131061745.GA28527@localhost