OK, I think I have realised what has been confusing me (and, maybe you, in the plural). I have been looking at this security question with a sort of 'tunnel vision', I'm concerned with login security of remote systems **when viewed from my desktop**. For this specific case, i.e. when someone is sitting at my desk, or has my laptop in front of them, there is little to choose between password and public-key authentication. To break either, all the intruder has to do is guess/break my password or the passphrase protecting my public-key. **However** from the point of view of a system 'out there' on the public accessible internet, open to connections from anywhere, key-based authentication is much more secure because an attacker has to guess/break a very long (400 or 500 character) key rather than a 10 or 20 character password. So, for systems on my LAN which don't have 'internet facing' ssh access I'm now fairly convinced that password based security is fine. My desktop, which *does* have (limited) accessibility from the internet should probably allow only key-based ssh access from outside. Any system which is open (even if limited by means such as allowing access only from certain IP ranges etc.) to internet access should preferably allow only key-based ssh authentication so that (relatively short) password guessing isn't possible. On the other hand, for systems on my LAN and/or any other system which isn't open to anyone to attack, password based authentication is quite OK. Thanks for all the help and useful discussion everyone. :-) -- Chris Green _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
