That's why I said "slim to none" chance.. not "mission impossible". :) For daemons that may need to use ssh for whatever don't forget that you can configure your keys in such a way that they only allow certain commands to be executed. This still leaves a lot of holes if the attacker gets the daemon's private keys, but I suppose it can help. on a side note: One huge benifit that disabling passwords and using ssh-agent + passkey exclusively that is of a secondary nature and not obvious is that it reduces the chances of hacked host, that you log into, from compromising the rest of your networks. Like I said it's completely secondary and it has to do with human nature. We've all done something like this: log into host a from host a log into host b. from host b use scp to copy a file to your home desktop. That's easy to do and fairly standard unixy shell stuff.. When your busy and have lots of shells open on lots of computers its a pretty natural thing to do. But if 'host a' is rooted then the attacker now has a decent chance of obtaining your passwords for 'host b' and your home computer. So if you have passwords disabled and only keep your private keys on your localhost then that makes that sort of bad behavior much more difficult and makes 'doing the right thing', were you do not jump from host to host, much more easier... since your using ssh-agent and such you effectively have SSO so even if you have passwords aviable then it's much easier not to. It's a completely side thing and a very so-so thing, but I think it's nice.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds