[tptacek]

You get that passwords over first-time SSH from untrusted computers or untrusted networks aren't safe at all, right? That posting those passwords is literally a sport at hacker conferences, and has been for over 2 decades?

This whole thread is a little alarming.

[willcipriano]

You get that waking outside isn't safe at all right? Mugging is as old as civilization and don't get me started on cars.

Life is about trade offs, if someone really wants to spend the time to get access to my home dev box then I may have to spend a couple days on the phone with the bank and restoring from my offline backups. Big whoop.

Your home is likely insecure from my standards. Do you have a firearm at the ready? Do you know how to use it? Does your family have codewords to communicate without letting others on to your plan? How hard is it to kick in your doors? Not just the front door, but the bedrooms. Do you have a dog to wake you in the night? How stocked are you, can you last a month with no resupply? Do you even have a panic room?

I protect what matters beacuse you can't protect everything.

[tptacek]

How are we still talking about this? SSH doesn't work the way you appear to think it does. Passwords don't solve the first-use problem; in fact, the first-use problem makes passwords much less safe than keys.

[willcipriano]

Yes and your cheap hollow core door doesn't solve the ending the life of everyone you care about problem. Why are you more concerned about passwords than that?

I know the risks well, I don't find them to be worth the hassle of avoiding them.

[getcrunk]

Iirc ssh passwords aren't sent in the clear. Is that really the case?

Edit: I looked it up to confirm. First time password is encrypted analogous to tls

[tptacek]

No, it's not analogous to TLS. TLS has trust anchors: the key exchange in a TLS handshake is secure, even on first contact with a server. The key exchange in a first-contact SSH handshake is trivially MITM'd. An attacker with control of your network (or, obviously, your machine) can simply steal your password.

[getcrunk]

I'm sorry I should have said it uses diffie hellman key exchange. And you are correct it can be mitm. I see that as its primary intrinsic weakness. (Password entropy, storage, are separate problems)

I would contrast this with the weakness of keys being that if the devs keys are compromised so are all the other servers he has access too. (I can memorize my passwords, or write them on a note card. Say what you will about that, it's out of band.)

In light of that the question as to what's best is your threat model. Poor opsec per dev or an upstream network sniffer.

Thanks for all your input all over this thread. I'm revisiting my convictions.

Would you disagree with I've said?

[tialaramex]

But you've now swapped out part of the authentication. If you want to claim that, for some threat models, "One password per server" is better than "One key" then, sure, so use "One key per server" and now keys are better again.

Also - I suspect this Caddy server doesn't support it, but OpenSSH does - you can use FIDO and then the keys physically are objects in the real world, from say Yubico or a dozen other vendors so now "losing the keys" is like losing your office keys, except that when they give you a new one they can trivially make the old one stop working.

[getcrunk]

A users keys are unlikely to be compromised singly. You would get them all. Whatever malware exfils the keys would take all that it finds.