* David M. Fetter wrote on Wed, Jun 11, 2003 at 11:26 -0700:
Safe is relevant to how secure you need your environment/data to be. It's "safer" or more secure to use keys only, but if you don't have stringent security requirements then password authentication might be acceptable. If somebody is going to brute force you, then it's easier to break an eight character password than a potentially much longer passphrase.
... which assumes, that the encrypted secret key is known, which shouldn't be :-) Having long MD5 passwords (e.g. 14 chars random) can be really heavy to support to your users, so if you have higher security demands then using SSH keys (e.g. on key disks on secured workstations only) can be more easy, finally. I think, in practice brute force attempts against 8 char (non-word mixed case, at least one special char and digit) won't work if someone keeps an eye on syslog. Since the chipher text isn't known, an attacker needs heaps of SSH connects (thousands or even millions) which takes a lot of time and should be noticed by you. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.