+1

Even helps you out if you have to manage X boxes, you can use single key, some ssh-agent magick and ssh in and out of them without ever needed to invent, remember or type any passwords.

I don't carry a storage device around with me at all times, so having credentials that can be memorized is useful to me.

Pssh, you dont have your 4096 bit key memorized?

You'd rather use a untrusted system with a password then carry around a teeny tiny thumbdrive?

If I'm not at my desktop (home or work) or I'm on the road and I don't have my smartphone or netbook or notebook, then I don't log in.

+1 * 1e400

Totally agree.

Exactly what benefit do you think a private key will give you if you plug it into an untrusted system? All I need to do is copy off the data on your thumbdrive (eh; just copy files that are used) and perform keyboard logging, and I now have your key _and_ passphrase.

(And that assumes you have your own ssh client on the thumbdrive and aren't using an insecure one on the machine).

Untrusted systems are, by definition, untrusted.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

SelfishMan told me about http://www.yubico.com/products/yubikey/

I've been using it with its PAM module for a couple months now, and it works very well. It shows up as a HID keyboard, and when plugged into a virgin port on a Windows machine, is ready to go in ~ 5 seconds. It does mean that you still have to accept password logins over SSH, but you can remove passwd from PAM for the ssh service (or something like that. I come from Slackware where PAM is the root of all evil, so it is a little bit voodoo magic).

Okay. That's the decision you've made.

The assertion was that there was "no reason" to use password authentication. You may disagree with my reason, but it's still a reason.

As Mr. Schneier is fond of saying, security is about making tradeoffs. In some cases I have looked at the value of what is being protected, the convenience of being able to log in via password, and the countermeasures taken to prevent illegitimate logins, and decided password authentication is worthwhile.

If you are going to login from an untrusted computer - then your only hope is actually a key based login - and a very hard to break root password - though even then it's a matter of local brute force attack.

So just don't use untrusted computers to login to your server...

That being said, it's not a good argument against key based login at all.

The way to secure the SSHD is:
1. move the port from default 22 to something random
2. create an everyday account that you will use to login
3. disable "sudo su" if you are using distro that is set up that way by default (like Ubuntu).
4. disable remote root login
5. setup key based login
5. setup private/public key (with password) and make sure you can login as non-root user to the server
5. disable login by just password - hence leaving PK as only option

That means from that point on you'll be logging in to your server as non-root, password protected key file will mean that you've got both the private key file and password, and you'll need to become root (and have root password) before you can do any damage.

So it's :
one root password
- vs -
1. find sshd port
2. somehow steal the private key file (which is the hardest part)
3. brute force the password used on the private key file
4. brute force the root password

Yeah, bad news is that you'll need to remember 2 passwords, 1. for key, and 2. for root. Though if you really really want to remember just one password - then it's better to have a passwordless private key file for non-root account + really strong root password.

Interesting device, but inadequate by itself for security; what happens if it's stolen? It's good as part of a two-factor authentication system (eg password plus yubikey OTP).

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

I'm using it in 2 factor mode for sshd (which is different from my /etc/passwd password)

Hmmm, passwords are good enough for my bank account, my retirement fund, and oh yeah LISH and LPM.

In 2+ years of running sshd on port 22 of my linodes, there has not been a single attempt that even supplied a valid username.

Paranoia is great, but well-chosen passwords are still plenty secure for my purposes.

Do you change root to something else then?

In ~5 minutes of setting up a fresh Linode and having sshd on port 22, I had 100s of hits trying to guess the root password.

In sshd_config:

AllowUsers someusername
PermitRootLogin no

It amazes me too. There is no excuse for falling to simple username/password dictionary attacks.

Here is a clue people:

Use SSH public key authentication
Limit keys to certain source ips if practical ( yes it does that )
Limit keys to certain commands if practical ( yes it does that too )
Disable root authentication or disable root password authentication
Don't use predictable usernames
Implement a decent password policy
Implement SSH connection rate limiting in iptables
Changing the SSH port isn't security. At best it reduces the rate of attacks

If you know enough to argue with the above ( like the people who say denyhosts is better than iptables rate limiting ) then do what you know to be right.