-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi !

...

In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. That's not true. If someone doesn't have the private key belonging to a certain public key in the list, he is asked for the password. Or is it possible to configure a remote computer in such a way that it doesn't give you a login prompt any more if there exists a public key?

- --> You can tell the SSH deamon not to accept passwords. See /etc/ssh/sshd_config Set: PubkeyAuthentication yes PasswordAuthentication no If you allow only port 22 (SSH) from outside, then you can only login to the computer by using an SSH public key.

...

This second solution is a good solution or that brings other security problems ? The solution with the keys is less secure than the one with passwords, of course. If Computer A connects to computer B via SSH, and there exists a pair of keys so that you don't have to enter the password, then a hacker who logged into computer A has also free access to computer B (crack one, access two). If there's no real need for a pair of keys (e.g. if a cron job copies files from A to B), then you shouldn't use that.

- --> But if computer A is not hacked, it is easier to brute-force crack machine B when "only" guessing a password than if the attacker has to guess a 2048bit private key. So as suggested before, if you are worried about the security of the private keys, create them with a password. Bye, Armin - -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE92Q3MG8Xv4GxznLoRAmJBAJ9O161EvxWFWwvEyJ5mB8ZHJjsquACdEDzR VIDK/u7Z2pLUdy0VcoICxPk= =5jCF -----END PGP SIGNATURE-----