> I keep hearing keys only ssh ... I'll add that too. But I do have a Why is it so common to jump to the conclusion that keys-only-ssh is more secure than passwords? I somewhat or sometimes disagree with this. When you use ssh keys, it's a virtual certainty that the keys are stored on the client's disk ... and a lot of users will not protect the key itself with a password or encryption. I think if you don't protect your key with a password, it's easier to compromise a system by stealing someone's keys than it is to brute force a password, even though the password is a smaller number of bits.
The proper way to do it (Plan A) is to use keys only, but ensure your keys are themselves protected by password. Plan B, I would say, is strong passwords. Plan C, I would say, is keys only ... without protecting the keys. Point is: At the server, yes you have the ability to enforce a password complexity requirement. No, you don't have the ability to enforce a keys-must-be-encrypted-on-the-client-laptop policy. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
