On Thu, Dec 5, 2019 at 9:02 AM John M. Harris Jr <johnmh@xxxxxxxxxxxxx> wrote: > > On Thursday, December 5, 2019 5:41:44 AM MST Nico Kadel-Garcia wrote: > > If someone wants to spend that much of their resources on homedir > > security, they need to decide whether they want SSH key based access. > > That is manageable by configuring SSH to store SSH public keys in an > > alternate location and inform the users of the modified sshd_config > > and its modified, accessible "AuthorizedKeysFile" setting. Or the user > > can spend the time and effort to activate Kerberos based logins, or > > use password based logins. I'd avoid trying to rewrite SSH for such an > > OS-specific and non-portable need as homedir decryption mounting. > > Please don't recommend to anyone to use passwords for SSH. That is incredibly > insecure, and if privileged users are using password-based SSH, that'll > quickly lead to a serious compromise of your entire system, depending on the > complexity of the password, of course, but still holds nothing to key-based > authentication with the best password. > Please don't suggest that password-based auth for SSH is insecure. That's not even close to true. A password isn't terribly different from an SSH key from an authentication perspective. If the password is strong or hard to crack, then it's fine. Frankly, it's irresponsible to give blanket statements like that, because they're untrue and do not recognize the nuance of threat models and risk assessments. For the vast majority of people using SSH in a non-shared context (i.e. not a VPS or some kind of easily accessible server), password auth is more than sufficient with a strong enough password or passphrase. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
