Les Mikesell wrote:
That's just normal behavior when both are enabled. If the key works, you don't get the password prompt. But even in the 'ultrasecure' scenario of requiring both, do you really want people typing their passwords on equipment that might have a keylogger running?
One scenario is business customers I maintain. They are almost all on my network, and I have servers I maintain/admin 400 km away that are not mine. When I am logged there, or on-site, I often need to pull some data from my main server. Sometimes FTP is enough, but sometimes I need to use SFTP or SCP to access sensitive scripts, or to login (when I am on-site on far away network).
How do you propose that I use key only auth? to copy my sensitive key onto their system? Or is it better to in that case just use password auth? I avoid using my passwords on infected systems, or without proper protection, but on safe systems it is better to use passwords then keys.
And of course, I have a brother with root access that does not own a laptop. And if I even tried to force him to use keys for every connection, I would have blue eye in matter of days ;-)
Ljubomir