Is it safe to open ssh port to world with only key based authentication?

[Scot L. Harris]

On Fri, 2005-11-25 at 05:19, Vijay Gill wrote:
> I am working on the idea of writing a small script which will modify
> the port of sshd every day according to some logic I will use on the
> client side to find the port for that day. This script will run in
> background and will do the job of modifying the config file and
> restarting of the service automatically.
> 
> Does that sound like even more seure idea?
> 
> Regards from
> Vijay Gill

Actually that will not buy you more security.  If you disable root ssh
access, use good passwords, use keys, use ssh2 only, and restrict the
users that are allowed to ssh to the system you have covered most of the
items that improve your security.  Changing the ssh port is generally
not viewed as making your system more secure.  It will keep the script
kiddies from knocking on the door but any one that targets your system
specifically will scan all ports and find that you have ssh on a
different port.  

I use a different port for ssh.  This keeps my log files cleaner.  But
it does not make my system any more secure.  That is taken care of by
using the other methods mentioned above for ssh.  

You might want to check out port knocking.  Although there was an
article posted on the web that argued that even port knocking does not
proved any added security.

Just remember that you want to keep your system just a little more
secure than the next system.  Just be careful not to make things so
complex that you introduce a security hole.  

Most of the ssh scanning going on relies on people not using good
passwords.  By simply using good passwords on all accounts the risk is
all but eliminated.  It is sad how many systems out there have accounts
with very poor passwords.