a simple questions about sshd and PasswordAuthentication

Josh Paetzel josh at tcbug.org
Wed Oct 25 02:59:15 UTC 2006

On Tuesday 24 October 2006 21:54, Atom Powers wrote:
> On 10/24/06, Jeff MacDonald <bignose at gmail.com> wrote:
> > Is there anything inherintaly dangerous or wrong about enabling
> > PasswordAuthentication in sshd_config ?
> >
> > I understand how public keys are better and everything else. And
> > I do use them. I'm just curious.
> There are many arguments for and against, but /inherintaly/ they
> are the same. You are comparing your secret to the secret stored on
> the server. Keys just tend to be much longer secrets, and are also
> more difficult to change.

I don't know about that.   With password authentication someone has to 
guess a valid username and password.  With key authentication someone 
has to guess a valid username, key, and passphrase.  While I have 
boxes that experience thousands of password based brute force 
attempts a day I don't recall anyone ever bothering to try and 
brute-force a key.

My personal opionion is that if you are using key-based authentication 
you are for all practical purposes invulnerable to brute-forcing.  
The only way someone is going to get in is via an exploit in ssh or 
by stealing the key and passphrase from a valid user.  


Josh Paetzel

More information about the freebsd-questions mailing list