I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the authorized public key lists (in this case there is no need for username and password)? In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet. That's not true. If someone doesn't have the private key belonging to a certain public key in the list, he is asked for the password. Or is it possible to configure a remote computer in such a way that it doesn't give you a login prompt any more if there exists a public key?
This second solution is a good solution or that brings other security problems ? The solution with the keys is less secure than the one with passwords, of course. If Computer A connects to computer B via SSH, and there exists a pair of keys so that you don't have to enter the password, then a hacker who logged into computer A has also free access to computer B (crack one, access two). If there's no real need for a pair of keys (e.g. if a cron job copies files from A to B), then you shouldn't use that. Bye Uli