On Thursday, December 5, 2019 7:07:04 AM MST Neal Gompa wrote:
Please don't suggest that password-based auth for SSH is
insecure.
That's not even close to true. A password isn't terribly different
from an SSH key from an authentication perspective. If the password is
strong or hard to crack, then it's fine.
It's not insecure as a mechanism, but, without something like fail2ban, it
takes a surprisingly short amount of time to break into systems using password
authentication. In practice, it is insecure, especially when compared to the
other options.
Frankly, it's irresponsible to give blanket statements like
that,
because they're untrue and do not recognize the nuance of threat
models and risk assessments.
It is irresponsible to suggest password based authentication, especially at a
time where residential ranges especially are being mass scanned, and bots
attempt to break into these systems once ssh servers with password
authentication have been found.
For the vast majority of people using SSH in a non-shared context
(i.e. not a VPS or some kind of easily accessible server), password
auth is more than sufficient with a strong enough password or
passphrase.
This would depend heavily on what environment they're using it on. If it never
connects to the internet, you would be correct. If it connects to shared wifi,
or home wifi with the average home router, then I would argue that it is not
sufficient to use password authentication. Especially on shared wifi, for
example guest wifi at most businesses.
--
John M. Harris, Jr.
Splentity