[PLUG] SSH Experts Here?

Wil Cooley wcooley at nakedape.cc
Wed Dec 6 17:19:57 UTC 2006


On Tue, 2006-12-05 at 22:50 -0800, Eric Wilhelm wrote:
> # from Wil Cooley
> # on Tuesday 05 December 2006 10:18 pm:
> 
> >Both password and public key authentication
> >methods are secure, regardless of the security of the underlying
> > medium.
> 
> Correct, except that the password can be guessed or gathered.  A 
> password-protected file (your private key) on a hard drive is a bit 
> harder to socially engineer.

I guess that's true; if you're on your own laptop, someone could collect
your password by shoulder-surfing.  If you're trying to use a public
terminal, after you've somehow gotten your key where it can be read by
your SSH client, someone could install a key-logger.  Of course, they
could also install a key-logger that also captured your private key (a
patched Putty, for example).  Which would you rather change, your
password or your private key?

> This thread seems to be about client configuration.  Puzzling.  If the 
> server is listening on a public port with password authentication 
> enabled, that is a source of unsecurity.

It sounds like Rich's issue is enforcing his own practices, not
necessarily wholly blocking external access via password.  If it is,
then you're right.  He'd probably need to run an sshd on a separate port
with a separate config file or disable password access altogether.

Wil
-- 
Wil Cooley <wcooley at nakedape.cc>
http://nakedape.cc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20061206/3f71b19e/attachment.asc>


More information about the PLUG mailing list