On Saturday 29 November 2008 04:30:44 am G T Smith wrote:
Rajko M. wrote:
On Friday 28 November 2008 07:33:01 am G T Smith wrote:
I would agree, that if you have a regular need for ssh access from an external location that this is the preferable authentication mechanism, though a slight case of overkill for a small home network for mainly internal use.
In any network it is more convenient to have keypair authentication, than to type passwords all the time. One time more work and then enjoy.
I would generally prefer the password protected key option (to use the key you have to authenticate with a password), which is same difference in the latter context. The thing about household or computer keys (like single socks, paper clips, and pens) is they can get lost, usually when you most need them :-) . If the wrong person gets the lost key then you could be toast if the key is not protected.
I was talking about private/public keypair and ssh access. Once you setup computers that can talk to each other and exclude all others, you just connect. It is some work to move public keys around, but once it is done you need procedure only when you buy new computer, or hard disk fails. Nothing can get lost, as you have nothing to remember.
For private use I tend to prefer password, entry plus blocks on external firewall as I have very little call for external ssh access at the moment. On the very rare occasions I think I will need it (once in the last 12 months or so), I set up the port to be opened at external firewall at a fixed time for a fixed time. (The key is in your head, and if you loose that you have other things to worry about :-) ).
Sure, under some circumstances :-D Under normal conditions, it is not so hard to trick yourself and forget easy to remember password. I did that few times creating passwords for others. Luckily I know more than one way to recover from that kind of problem, otherwise it would be real embarrassment.
What I would like to do is fix up some sort of single sign on, so one authentication allows access networked resources at a network level, but unfortunately for *NIX this would be a major project (and getting this to work with ssh, cups, apache and samba etc could be a major pain). So one has one strong point of entry rather than several points of varying strength.
It is good idea, but as you said it involves some work and extra resources and it has no justification in home or small office setting.
If this requirement changes I will almost certainly implement something better, but until this happens I have other things to do. YMMV
-- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org