Security suggestion concering SSH and port forwarding.

Carson Gaspar carson at
Tue Jan 20 09:39:57 EST 2004

--On Monday, January 19, 2004 3:58 AM -0600 Ben Lindstrom 
<mouring at> wrote:

> What is wrong with using public keys?

Users will use a NULL passphrase on the public key (or a trivial password). 
Then we'll get hacked when they loose their laptop. Unless you're using 
smart cards (and using them very carefully), public key auth just isn't 
very secure with "normal" users. This is what led me to do the auth vector 
work way back when.

Which makes me think... if I extended the authorized key mechanisms to 
match against a username instead of (or in addition to, if applicable...) a 
key, is there a chance that would get merged in? The current functionality 
is pretty good, but only if you use pubkey auth. It would be nice to get 
the same functionality regardless of auth mechanism.


More information about the openssh-unix-dev mailing list