a simple questions about sshd and PasswordAuthentication
josh at tcbug.org
Wed Oct 25 02:59:15 UTC 2006
On Tuesday 24 October 2006 21:54, Atom Powers wrote:
> On 10/24/06, Jeff MacDonald <bignose at gmail.com> wrote:
> > Is there anything inherintaly dangerous or wrong about enabling
> > PasswordAuthentication in sshd_config ?
> > I understand how public keys are better and everything else. And
> > I do use them. I'm just curious.
> There are many arguments for and against, but /inherintaly/ they
> are the same. You are comparing your secret to the secret stored on
> the server. Keys just tend to be much longer secrets, and are also
> more difficult to change.
I don't know about that. With password authentication someone has to
guess a valid username and password. With key authentication someone
has to guess a valid username, key, and passphrase. While I have
boxes that experience thousands of password based brute force
attempts a day I don't recall anyone ever bothering to try and
brute-force a key.
My personal opionion is that if you are using key-based authentication
you are for all practical purposes invulnerable to brute-forcing.
The only way someone is going to get in is via an exploit in ssh or
by stealing the key and passphrase from a valid user.
More information about the freebsd-questions