On Sunday, July 20, 2003, at 09:14 PM, Mark A. Hershberger wrote:
> "Brian D. Mayeur" <bmayeur@bmay.net> writes:
>
>> In order to login without a password, you just copy your
>> identity.pub key into the authorized_keys file on the remote system.
>> I have been against FTP ever since I noticed my password in the
>> status bar during downloads.
>
> But, again, note that having an unprotected keypair is just slightly
> better than cleartext passwords.
>
> If your key falls into the wrong hands, you've given that person
> passwordless access to your accounts.
While I agree that not having a passphrase on your keypair is nowhere
near as good as having one, I think a pasphrase-less keypair is much
superior to cleartext passwords. On the other hand, ssh password
authentication does *not* occur in the clear, so it's a definite leg up
over services like ftp or http auth where passwords do pass in the
clear.
Ultimately, empty-password keypairs are like a physical key. If you
lose it, someone else can open your front door (with the extra downside
that you probably won't know you lost it.) On the other hand,
cleartext passwords are like shouting your PIN down a darkened hallway.
At least there's a reasonable (if not paranoid) assumption of security
for keypairs.
___________________
Nolug mailing list
nolug@nolug.org
Received on 07/21/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST