From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 25 02:59:15 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9861416A412
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Oct 2006 02:59:15 +0000 (UTC) (envelope-from josh@tcbug.org)
Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.200.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 38DEC43D5D
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Oct 2006 02:59:13 +0000 (GMT) (envelope-from josh@tcbug.org)
Received: from gimpy (c-24-118-173-219.hsd1.mn.comcast.net[24.118.173.219])
	by comcast.net (sccrmhc13) with ESMTP
	id <2006102502591201300hqt3ce>; Wed, 25 Oct 2006 02:59:12 +0000
From: Josh Paetzel <josh@tcbug.org>
To: freebsd-questions@freebsd.org
Date: Tue, 24 Oct 2006 21:58:58 -0500
User-Agent: KMail/1.9.3
References: <f17daf040610241940g7daa4552xb62f84fd4061607a@mail.gmail.com>
	<df9ac37c0610241954q7d9d5decya7413dd44fafc5c9@mail.gmail.com>
In-Reply-To: <df9ac37c0610241954q7d9d5decya7413dd44fafc5c9@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200610242158.59083.josh@tcbug.org>
Cc: Jeff MacDonald <bignose@gmail.com>, Atom Powers <atom.powers@gmail.com>
Subject: Re: a simple questions about sshd and PasswordAuthentication
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2006 02:59:15 -0000

On Tuesday 24 October 2006 21:54, Atom Powers wrote:
> On 10/24/06, Jeff MacDonald <bignose@gmail.com> wrote:
> > Is there anything inherintaly dangerous or wrong about enabling
> > PasswordAuthentication in sshd_config ?
> >
> > I understand how public keys are better and everything else. And
> > I do use them. I'm just curious.
>
> There are many arguments for and against, but /inherintaly/ they
> are the same. You are comparing your secret to the secret stored on
> the server. Keys just tend to be much longer secrets, and are also
> more difficult to change.

I don't know about that.   With password authentication someone has to 
guess a valid username and password.  With key authentication someone 
has to guess a valid username, key, and passphrase.  While I have 
boxes that experience thousands of password based brute force 
attempts a day I don't recall anyone ever bothering to try and 
brute-force a key.

My personal opionion is that if you are using key-based authentication 
you are for all practical purposes invulnerable to brute-forcing.  
The only way someone is going to get in is via an exploit in ssh or 
by stealing the key and passphrase from a valid user.  

-- 
Thanks,

Josh Paetzel