MJ Ray wrote:
[SNIP]
- We only permit key-pair SSH login
I think the weaknesses in this one are:
a) ssh clients on mobile devices, some of which need the key to be generated on one host and then converted and sent to the mobile device. (putty on s60, for example)
Agreed, but that's a price worth paying, IMO. I use Putty with key-pair from my Nokia E90 probably every day. I don't recall having to convert it, and copying it up was a doddle (using Nokia software on a 'Doze machine, admittedly).
b) inability of the server to detect if the key has a passphrase. If it doesn't, then isn't it no better in theory than a password login?
Agreed (although stealing the key might be a challenge), but only an idiot would bother to config key-pair and then fail to go the tiny bit extra and not have a passphrase!
Has anyone smarter than me got solutions for any of those?
Nope!
Cheers, Laurie.