On Tue, 2008-01-22 at 17:50 -0800, Aldo Foot wrote: > > > On Jan 22, 2008 5:36 PM, Craig White <craigwhite@xxxxxxxxxxx> wrote: > > On Tue, 2008-01-22 at 11:38 -0800, Aldo Foot wrote: > > > > > > On Jan 22, 2008 8:34 AM, Gijs > <info@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> > > wrote: > > Or you can do it the "easy" way. Use public keys > without a > > password on it. > > You won't have to type in any password, so you won't > get the > > popup > > anymore, and it's relatively secure. > > > > I agree. Passwordless SSH keys are _very_ insecure in my > opinion. > > Just pray that the account owning they keys is not > compromised... > > because then > > the floodgates are opened. > > Of course this is a non-issue if your systems are in some > private net > > no exposed > > to outside traffic. > > ---- > I'm confused by this comment. > > If you use ssh keys, does it matter whose accounts is > compromised? Once > the account is compromised, couldn't they just load a > keylogger? > > And then, ssh keys still have passwords unless the creator of > the keys > decides to omit a password. > > Am I missing something here? > > Craig > > > > > Well, the scenario I described actually happened years ago to someone > I knew. > If I create keys without a passphrase, and share the public keys > between > two systems (A and B), then from system A I can log to system B by > simply saying "ssh user@B". This is very convenient for cron jobs. > > This is particularly risky when the systems are accessed by the > general public. > How does someone finds out the username? I don't know... company > phonebook, > online profiles listing first/lastname, etc. ---- aren't you really talking about a weak password scheme? Craig
