Heterogeneous File Sharing Recommendations?

Jon Jensen jon at endpoint.com
Tue Feb 2 21:09:14 MST 2010

On Tue, 2 Feb 2010, Charles Curley wrote:

> Setting up public key auth is as simple as getting the users' public 
> keys onto the servers so they can log in, and verifying the correct 
> permissions. One public key per user you expect them to use.
> Using passwords means the passwords are sent over the net using weak or 
> no encryption.

Is that true? I don't think it is, for ssh. Passwords are always sent over 
the ssh tunnel using the same strong encryption that's used for the rest 
of the ssh conversation. They are as secure against 3rd-party snooping as 
anything else about the ssh session.

The weakness with password authentication is that the server receiving the 
password can be modified to store the plaintext password, which if it was 
used for other accounts or servers, can be used to login elsewhere without 
authorization. Public-key cryptography avoids this weakness. Passwords are 
also much more likely to be guessed in a brute-force attack than ssh 
secret keys (aside from the Debian OpenSSL fiasco of 2008!). But the 
passwords are safe enough during transit.


Jon Jensen
End Point Corporation

More information about the PLUG mailing list