On 17 Aug 12:41, Laurie Brown wrote:
MJ Ray wrote:
[SNIP]
- We only permit key-pair SSH login
I think the weaknesses in this one are:
a) ssh clients on mobile devices, some of which need the key to be generated on one host and then converted and sent to the mobile device. (putty on s60, for example)
Agreed, but that's a price worth paying, IMO. I use Putty with key-pair from my Nokia E90 probably every day. I don't recall having to convert it, and copying it up was a doddle (using Nokia software on a 'Doze machine, admittedly).
The N900 I use is even easier, I just generated the key on it. But then, it really is a tablet PC that happens to also work as a phone... (it's a lovely ARM based device).
b) inability of the server to detect if the key has a passphrase. If it doesn't, then isn't it no better in theory than a password login?
Agreed (although stealing the key might be a challenge), but only an idiot would bother to config key-pair and then fail to go the tiny bit extra and not have a passphrase!
If it's on a mobile device, stealing it ain't that difficult...
Of course, you've got a way to remove a particular public key from authorized_keys, right? ;)
Has anyone smarter than me got solutions for any of those?
Nope!
Don't do remote editing of root files? If they're config files, store them in (some form of) version control, and get that to roll out the changes for you instead...