OpenSSH daemon security bug?

Michael Stone mstone at mathom.us
Wed Jan 6 02:14:34 EST 2010


It's true that for some threats a poorly managed ssh private key is 
weaker authentication than a well managed password. Trying to fix poor 
password management (brute force ssh password guessing doesn't work with 
well managed password policies) by mandating the use of ssh keys is 
generally a recipe for disaster. (If you can't enforce a password policy 
why on earth do you think you can enforce a key management policy?) Both 
mechanisms have their strengths and weaknesses, and neither should be 
chosen over the other unless you understand what those are. In many 
cases the ideal option would be *both* a certificate *and* a password.

Mike Stone


More information about the openssh-unix-dev mailing list