On Sat, 2008-11-29 at 10:30 +0000, G T Smith wrote: <snip>
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected.
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ).
What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength.
It's the usual trade-off between security level and ease of use /maintainability.... For gaining access to a specific (or any) node in your network, you might considder the use of tokens (Aladdin, Kobill) Allmost all systems have an USB-port nowadays. Private keys protected by a pin-code, that snaps after three failed attemps. It raises the security level drastivally, but at what costs, is it worthwhile? OTOH, using single-sign-on techniques (distributing trusted keys, kerberos etc etc) removes security barriers. Instead of access to a specific node, one gets access to all nodes. Incase you want to avoid the maintenance of tokens, there is still another option I saw last week. If one wants to login, send the user an one-time-password via an SMS-message on his GSM... (It seems that ordinary lusers are more carefull about their private GSM and pin-code than with company-tokens....) hw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org