|| ||Daniel Kahn Gillmor <dkg-AT-fifthhorseman.net> |
|| ||openssh-unix-dev-AT-mindrot.org |
|| ||Re: OpenSSH daemon security bug? |
|| ||Tue, 05 Jan 2010 12:25:26 -0500|
|| ||Article, Thread
On 01/05/2010 10:21 AM, Mark Janssen wrote:
> On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <email@example.com> wrote:
>> co-worker wrote:
>>> I am all for encouraging key-based logins, but I think disabling
>>> password logins completely actually reduces security.
> I must agree here, while keys are better then passwords, it's
> impossible to enforce passphrase quality on keys, while it is possible
> to enforce some quality on passwords.
i don't think you're comparing the same thing, though. You can make
sure it's a really really strong password, but it's still *not* possible
to enforce that your users keep their password safe.
If you're worried that your users might leave an unprotected key lying
around, you should *also* be worried that those same users might send
their password via e-mail (even if it's just "to themselves as a
reminder"), or write it in a cleartext file on their computer, reuse it
for their amazon account, for their blog, etc.
At some level, you have to trust your users if they're going to use your
system. And have good backups, easy recovery, and regular user
education about good practices, of course ;)
openssh-unix-dev mailing list
to post comments)