> On Wed, 2005-12-07 at 09:35, STYMA, ROBERT E (ROBERT) wrote: > > > Key based authentication is the right way to go. You should disable > > > root ssh access completely. > > > > > > > Key based authentication is good, but there is one caveat. Straight > > key based allows you to log in directly without typing a password. > > If you are ssh'ing from work to home from a UNIX machine, any sys-admin > > with the root password on your work machine can become you and then > > ssh to your home machine as you with no password. Maybe you don't care > > if your sysadmin is dinking around in your home machine and maybe you do. > > > > I am not saying not to use key based authentication, but it is not a > > cure all. > > You are correct, there are no magic bullet solutions. Typically you > would still use a password/passphrase to use your private key. Of > course the same rules apply as to any password, use a good non-trivial > one that can not be guessed. You should use a passphrase to use with your private key, unless you're using SSH between servers on the same subnet (preferably without third-party network components) and the boxes use the same passwords. Kind regards, Jeroen van Meeuwen -- kanarip
