On 02.12.2003 Lisa Seelye <[EMAIL PROTECTED]> wrote: > On Tue, 2003-12-02 at 09:45, Ian Leitch wrote: > > On Tue, 2003-12-02 at 16:14, Alex Veber wrote: > > > > > I am not sure its a good Idea, I work on Gentoo from home and from school > > > uploading and downloading files all the time, the computers at school are > > > public and I can't put my key in there (If I forget to logout or something). > > > > You could ssh to home, then ssh to dev... if its not too much trouble. > > That's what I do. And I've gotten so good at typing my "strong" > password I can do it even with people watching and they won't get it. ;)
What about those who're watching you from inside the computer? Their eyes are keen and their memory is long-lasting. Disabling password authentication is a security measure, but it is no panacea. By forcing developers to use keys you eliminate the problem of using passwords in general, such as weak passwords or the use of the same password for multiple places. But some people complain, they say that a key is more inconvenient than a password, for example, the key isn't as portable as a password, you can't use it anywhere. My reply is, you shouldn't be using it anywhere. You should never access a valuable resource from a computer that you don't trust. To force the use of keys exposes those who go around giving their password to any computer they see. If you don't trust a computer well enough to keep your key permanently on it, you shouldn't access gentoo from that computer. But it is true, sometimes security brings inconvenience. But I think the idea of "ssh to home and then to gentoo" as a remedy for accessing gentoo from an untrusted place is really bad. You've just given the attacker your home computer in addition to gentoo. -- hhg -- [EMAIL PROTECTED] mailing list
