OpenSSH daemon security bug?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 6 04:25:26 EST 2010
On 01/05/2010 10:21 AM, Mark Janssen wrote:
> On Tue, Jan 5, 2010 at 4:01 PM, Davi Diaz <davi at leals.com> wrote:
>> co-worker wrote:
>>> I am all for encouraging key-based logins, but I think disabling
>>> password logins completely actually reduces security.
>
> I must agree here, while keys are better then passwords, it's
> impossible to enforce passphrase quality on keys, while it is possible
> to enforce some quality on passwords.
>
i don't think you're comparing the same thing, though. You can make
sure it's a really really strong password, but it's still *not* possible
to enforce that your users keep their password safe.
If you're worried that your users might leave an unprotected key lying
around, you should *also* be worried that those same users might send
their password via e-mail (even if it's just "to themselves as a
reminder"), or write it in a cleartext file on their computer, reuse it
for their amazon account, for their blog, etc.
At some level, you have to trust your users if they're going to use your
system. And have good backups, easy recovery, and regular user
education about good practices, of course ;)
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 887 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100105/f249bcc4/attachment.bin>
More information about the openssh-unix-dev
mailing list