Chris Green chris@areti.co.uk write:
So, I've been looking around at other things that relate to this. One possibility is HostBasedAuthentication where it's the machine rather than the user that has the RSA/DSA keys. Doing this allows the keys to be readable by root only which adds a little extra protection but not a great deal (one site even says HostBasedAuthentication is less secure than a 'no passphrase' personal key).
To get the host private key material you need to be root. If you can do that you can get any passphraseless user private keys too. So I'm not sure what sort of argument would support that sort of claim.