That's why I said "slim to none" chance.. not "mission impossible". :)
For daemons that may need to use ssh for whatever don't forget that you can configure your
keys in such a way that they only allow certain commands to be executed. This still leaves a
lot of holes if the attacker gets the daemon's private keys, but I suppose it can help.
on a side note:
One huge benifit that disabling passwords and using ssh-agent + passkey exclusively that is of
a secondary nature and not obvious is that it reduces the chances of hacked host, that you log
into, from compromising the rest of your networks. Like I said it's completely secondary and
it has to do with human nature.
We've all done something like this:
log into host a
from host a log into host b.
from host b use scp to copy a file to your home desktop.
That's easy to do and fairly standard unixy shell stuff.. When your busy and have lots of
shells open on lots of computers its a pretty natural thing to do. But if 'host a' is rooted
then the attacker now has a decent chance of obtaining your passwords for 'host b' and your
So if you have passwords disabled and only keep your private keys on your localhost then that
makes that sort of bad behavior much more difficult and makes 'doing the right thing', were
you do not jump from host to host, much more easier... since your using ssh-agent and such you
effectively have SSO so even if you have passwords aviable then it's much easier not to.
It's a completely side thing and a very so-so thing, but I think it's nice.