OpenSSH daemon security bug?
Michael Stone
mstone at mathom.us
Wed Jan 6 02:14:34 EST 2010
It's true that for some threats a poorly managed ssh private key is
weaker authentication than a well managed password. Trying to fix poor
password management (brute force ssh password guessing doesn't work with
well managed password policies) by mandating the use of ssh keys is
generally a recipe for disaster. (If you can't enforce a password policy
why on earth do you think you can enforce a key management policy?) Both
mechanisms have their strengths and weaknesses, and neither should be
chosen over the other unless you understand what those are. In many
cases the ideal option would be *both* a certificate *and* a password.
Mike Stone
More information about the openssh-unix-dev
mailing list