Corporate public key?

Joseph Bruni
Wed Jul 9 03:58:04 2003

Hash: SHA1

This gets annoying after while, especially if you find yourself needing 
to connect to said server while away from a host that has your private 
key. Being able to fall back to passwords is a nice convenience for 
most circumstances and, unless that Linux server of yours really 
contains sensitive information, I wouldn't worry about a password crack 
(unless you have really easy-to-guess passwords). Having to load your 
private key on a temporary host has its own set of vulnerabilities.

One thing that would help to slow down a password attack is successive 
increases in delays after each wrong password. Apple's implementation 
of OpenFirmware does that to keep people from trying to brute force 
that password. Perhaps you can configure "login" or "sshd" to do the 
same? Or recommend it to the OpenBSD folks.

I'm not knocking public-key authentication at all -- I use it almost 
exclusively -- and the ssh-agent makes life really nice. But disabling 
the fallback to passwords seems a bit obtuse, IMHO.

On Tuesday, July 8, 2003, at 10:27 AM, CL Gilbert wrote:

> I have disabled ssh passwords on my Linux box in favor of gpg key 
> logins
> because they cant be hacked like a pwd.  plus I don't have to remember
> them as long as I have my key with me.
Version: GnuPG v1.2.2 (Darwin)