Mike Chirico on 10 Jun 2009 18:43:10 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Pros and cons of key-pair based vs password based SSH...

On Wed, Jun 10, 2009 at 08:59:57PM -0400, Michael Bevilacqua wrote:
> On Wed, Jun 10, 2009 at 8:42 PM, Richard Freeman
> <r-plug@thefreemanclan.net>wrote:
> > Allowing password logins does not prevent you from also logging in with
> > a key.
> And this is a great point Richard has made. You *can* authenticate with both
> keys and passwords, not just one or the other. Just in case you were
> assuming that.
> By default, keys and passwords work together. SSHD checks for a key first
> before falling back to password authentication. So, if your key fails, or if
> you have no key, you can still handshake with a password.

If needed, you can force only password checking, regardless of an
existing key, when sshing into a remote host.

$  ssh -o PubkeyAuthentication=no  user@somecomputer.com 

It's also possible to disable host key checking, as well.

$ ssh -o PubkeyAuthentication=no -o StrictHostKeyChecking=no  user@somecomputer.com

Agreed. Normally this would be useless. However, if you have hundreds
of computers that need to be updated by a custom login script.  Say
something with Expect or maybe a forkpty in a Python script where
you're storing and passing the password, then, less coding is needed
to handle cases where some computers may have moved (they will fail
the Strict Hostkey checking), or maybe someone has copied a few of the
keys: there's no need to create elaborate "if then" statements for
password checking, vs key checking.


Mike Chirico

Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug