On Sat, Nov 18, 2000 at 02:08:00PM +1100, Jeff Turner wrote:
> Auto-login means that if any user's machine is compromised, the attacker
> has an account on the server too! The ssh auto-login feature allows
> users to create "webs of trust" completely outside the control of the
> sysadmin. It removes the password barrier between systems, and allows
> breakins to quickly propagate between systems. As such it is harmful and
> wrong, and should be switched off by default.
A very smart security expert successfully pursuaded me that if a user's
machine is compromised, all bets are off. It makes no difference whether
you use passwords/passphrases or not, the cracker can still get in to the
server. The vital thing is to secure the user's machine, not introduce
artificial barriers that don't make any difference anyway. The best overall
solution is to use ssh-agent on a secured client machine rather than
passphrase-less keys, because that also protects against physical seizure
of the client machine, although most of us don't worry about that.
- Dave Dykstra
