On Thursday, December 5, 2019 7:07:04 AM MST Neal Gompa wrote: > Please don't suggest that password-based auth for SSH is insecure. > That's not even close to true. A password isn't terribly different > from an SSH key from an authentication perspective. If the password is > strong or hard to crack, then it's fine. It's not insecure as a mechanism, but, without something like fail2ban, it takes a surprisingly short amount of time to break into systems using password authentication. In practice, it is insecure, especially when compared to the other options. > Frankly, it's irresponsible to give blanket statements like that, > because they're untrue and do not recognize the nuance of threat > models and risk assessments. It is irresponsible to suggest password based authentication, especially at a time where residential ranges especially are being mass scanned, and bots attempt to break into these systems once ssh servers with password authentication have been found. > For the vast majority of people using SSH in a non-shared context > (i.e. not a VPS or some kind of easily accessible server), password > auth is more than sufficient with a strong enough password or > passphrase. This would depend heavily on what environment they're using it on. If it never connects to the internet, you would be correct. If it connects to shared wifi, or home wifi with the average home router, then I would argue that it is not sufficient to use password authentication. Especially on shared wifi, for example guest wifi at most businesses. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
