-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Aug 09, 2006 at 01:15:29PM -0400, William L. Maltby wrote: > My question is: is there a scenario where the public key based solution > is just totally inappropriate? Am I overrating the value of going > "passwordless"? No to both questions. I use the same thing on all my servers (only keys, no plain-text). However, there is a 3rd authentication option. The first 2 are: - - Password - - Public Key the 3rd being: - - Challenge/Response Challenge/Response authentication include things like S/KEY and OTPW (One Time PassWord). If we give Password authentication a security rating of 0, and Public Key a security rating of 10, a good challenge/response method will offer you something like 9. They are a very good alternative when you can't, for one reason or another, use only key auth. And just like for passwords, you can have both key and challenge methods enabled. There is one particular critical server here that I need to be able to access no matter what. Even if I need to go into a lanhouse to do it. In that case, using a public key is at least unadvisable, since others can try grabbing it at the time. So, Challenge/Response is a very good way to go, since it doesn't matter if someone else get my password (the password will work only once). > I'm also using an IPCop firewall w/no access from the 'net for now. But > if/when I "open 'er up" a little, I would like to believe I'm doing the > best job I can. If you has the option of only using keys, then that is the way to go. Make sure all other authentication methods are disabled for extra points. - -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFE2iL0pdyWzQ5b5ckRAhuaAJ9ZYmmOJ8Y09cahUNXhtPICpyer0wCcCIkv yIqNbDjSz6B4aHxogMy8log= =Kn5p -----END PGP SIGNATURE-----