On 2008-05-15, Ben Calvert <[EMAIL PROTECTED]> wrote: > and it only applies if you're using keys _without_passphrase_.
Passphrases protect your on-disk copy of the key. The key can be re-encrypted with a different key, or decrypted and written out, it's still the same key. If you "ssh-keygen -p", you don't need to change authorized_keys files on all the hosts where your key is listed. The metasploit generated keys are obviously not encrypted, so there are sets of private keys floating round for each of 1Kb DSA, 2Kb and now 4Kb RSA... > do people actually allow remote root access ? for more than 5 minutes > after install? Yes, though "PermitRootLogin without-password" is not uncommon, so that those pesky insecure passwords can't be used, only allowing the nice secure private keys instead. Oh wait... Anyone know if it's possible to require more than one type of authentication, e.g. _both_ password and key-based? I didn't see a way, but may have missed something.
