[eridius]

I don't trust key-only auth; what if I need to access my machine from a new computer I haven't done this with before?

Is there any way to configure SSH to use a custom high-entry password that's different from the user's local password? My local password is something reasonable for me to type regularly (e.g. for sudo prompts), but I'd love to have a super long password just for SSH that I have to copy from my password manager each time.

[0lpbm]

If this is a scenario that happens often, you probably should invest in a portable method to hold your ssh keys, such as a smart card. I have only used YubiKey for this purpose, but I'm sure others, like the Nitrokey, work similarly.

[dahfizz]

This could be done simply by creating a new user with your super long password. Lock down ssh so you can only log in as this user, and let them `sudo su` into your normal working user.

[eridius]

I mean, yeah, but I don't want to do that. Partially because I don't want the friction, and partially because that won't work with any other tools that tunnel over ssh (e.g. sftp).

[eitland]

There will be friction, but sftp and port tunneling - which are my most used fwatures besides plain ssh - should be possible?

I mean either you sftp to a shared folder that can be accessed from your regular user as well or you use a staging area with a cron job (or you load/unload the staging area manually.)

[eridius]

If I'm sftp'ing to my server it's because I want to access my files. Not a special shared folder that I then have to separately ssh in, su to the real user, and move into place.

I'm not deploying a website so a staging area isn't applicable. This is just a VPS that I use for various purposes.

[dahfizz]

If your ssh user has the right priveleges, you can read and write your real users files as the ssh user just fine. I do get that this isn't ideal though.

[ahje]

There are definitely cases where you might need to expose a an SSH setup where passwords are allowed to the World, but there is usually little reason to allow anyone to log in directly as root.

Set a long password for the user you log in as (correct horse battery staple-style passwords are perfect for such things), and make sure to put SSH on an alternate port to keep the more basic bots away and thereby reduce the noise.

Having to type a long password for sudo promts is a bit of a pain, but that trade-off is worth it from a security perspective.

[jmalicki]

"a custom high-entry password that's different from the user's local password?"

You mean an RSA private key? (no really, that's exactly what it is... you can put your private key in your password manager and copy it to your computer)

[eridius]

I can manually type in a 30-letter password that I can see from my password manager on my phone. I'm pretty sure I'm not going to be manually typing in an RSA private key stored on my phone.