On 2024/10/22 09:14, Chris Green wrote: > I have been looking at this security question with a sort of 'tunnel > vision', I'm concerned with login security of remote systems **when > viewed from my desktop**. For this specific case, i.e. when someone > is sitting at my desk, or has my laptop in front of them, there is > little to choose between password and public-key authentication. Also consider the case of connecting to a malicious remote host. Either a totally illegitimate host where you don't have a known_hosts entry or fingerprint to check, or where a "good" host has been compromised. With public keys, your password is not sent to the remote system. With passwords, a modified sshd could log your password (avoiding any need to brute-force the hash from the password database). _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev