| ||||||||||||||||
Re: OpenSSH daemon security bug?
On 01/05/2010 10:21 AM, Mark Janssen wrote: > On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <davi@leals.com> wrote: >> co-worker wrote: >>> I am all for encouraging key-based logins, but I think disabling >>> password logins completely actually reduces security. > > I must agree here, while keys are better then passwords, it's > impossible to enforce passphrase quality on keys, while it is possible > to enforce some quality on passwords. > i don't think you're comparing the same thing, though. You can make sure it's a really really strong password, but it's still *not* possible to enforce that your users keep their password safe. If you're worried that your users might leave an unprotected key lying around, you should *also* be worried that those same users might send their password via e-mail (even if it's just "to themselves as a reminder"), or write it in a cleartext file on their computer, reuse it for their amazon account, for their blog, etc. At some level, you have to trust your users if they're going to use your system. And have good backups, easy recovery, and regular user education about good practices, of course ;) --dkg _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev (Log in to post comments)
|
||||||||||||||||