Heterogeneous File Sharing Recommendations?
Jon Jensen
jon at endpoint.com
Tue Feb 2 21:09:14 MST 2010
On Tue, 2 Feb 2010, Charles Curley wrote:
> Setting up public key auth is as simple as getting the users' public
> keys onto the servers so they can log in, and verifying the correct
> permissions. One public key per user you expect them to use.
>
> Using passwords means the passwords are sent over the net using weak or
> no encryption.
Is that true? I don't think it is, for ssh. Passwords are always sent over
the ssh tunnel using the same strong encryption that's used for the rest
of the ssh conversation. They are as secure against 3rd-party snooping as
anything else about the ssh session.
The weakness with password authentication is that the server receiving the
password can be modified to store the plaintext password, which if it was
used for other accounts or servers, can be used to login elsewhere without
authorization. Public-key cryptography avoids this weakness. Passwords are
also much more likely to be guessed in a brute-force attack than ssh
secret keys (aside from the Debian OpenSSL fiasco of 2008!). But the
passwords are safe enough during transit.
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the PLUG
mailing list