Les Mikesell wrote: > That's just normal behavior when both are enabled. If the key works, > you don't get the password prompt. But even in the 'ultrasecure' > scenario of requiring both, do you really want people typing their > passwords on equipment that might have a keylogger running? > One scenario is business customers I maintain. They are almost all on my network, and I have servers I maintain/admin 400 km away that are not mine. When I am logged there, or on-site, I often need to pull some data from my main server. Sometimes FTP is enough, but sometimes I need to use SFTP or SCP to access sensitive scripts, or to login (when I am on-site on far away network). How do you propose that I use key only auth? to copy my sensitive key onto their system? Or is it better to in that case just use password auth? I avoid using my passwords on infected systems, or without proper protection, but on safe systems it is better to use passwords then keys. And of course, I have a brother with root access that does not own a laptop. And if I even tried to force him to use keys for every connection, I would have blue eye in matter of days ;-) Ljubomir