|
|
|
|
|
|
by randomsilence
1537 days ago
|
|
|
If you cannot trust the network, where is the advantage of keypairs over passwords? If you have a one-time password, worse case is that some man in the middle gets that password. If you engage in a proof of private key ownership for your login, a man in the middle can use that exchange to log into another server that has the same public key. |
|
|
Second, an attacker targeting your keypair-backed SSH session on an insecure first-use gets your session; against a password, they get your password, which is strictly worse.
It's not my claim that keypairs neatly solve the first-use problem with SSH (though: that problem can be solved, with more keypairs). It's that keys are categorically better than passwords. Which, of course, they are.
The alarming thing about this thread is that there's a couple people here that clearly seem to believe logging in with a password to a "new" SSH server is safe. It's literally the basis for the "Wall of Sheep" at hacker conferences; they were doing it at Usenix when I was there in 1998.