SSH password vs. key authentication
I've usually been told that public key authentication is strongly preferred over password authentication for SSH. However our previous admin was against public keys and only issued passwords and took care to use different passwords for different servers (pwgen generated passwords; they are reasonably difficult to brute-force, but guaranteed to be written down by the user). So I'd like to ask:
- Does using password make more sense for administration (non-root with more or less sudo capabilities) full shell login. Given that passwords are different where the key probably wouldn't be and the password than used for sudo as well.
- Was it OK even for special account for sftp upload (restricted to particular directory) where the password ends up in a file on some other server, because the upload needs to be unattended? The public key would end up stored unencrypted on the same other server.
It's kind of like this… I am divorced and have a vitriolic ex wife. I also have three great boys, who like most boys can be forgetful, lose things, and who also love their mom. When my boys got old enough to need a key to my house, I had a decision to make: do I use a keyed lock or one of those numeric key pads? If I use the keyed lock, it was certain that my sons would regularly be losing keys; I would be getting calls to come home from work to let them in; and there was a big possibility I would have to replace the lock or have it re-keyed from time-to-time because the number of "lost keys" (or probability my vitriolic ex wife now possessed one) reached an uncomfortable limit.
While not maybe the safest in the world, with the numeric lock I had no concerns about the keys being lost; I could text my sons the combo from work (without coming home) when they forgot it; and I could periodically change it when I felt it was compromised. I could also decide how long and/or complex I wanted it. If I thought my ex had it, I could change it as well. A lot simpler and less total cost of ownership.
The keyed lock is like PK. The numeric lock is like passwords. In the end, I can tell you, I am a lot safer with the numeric lock, because I choose my own destiny and can do so as dynamically as I want. And remember, the reality is that the door is just one of the ways into my house.
I like this analogy. However, it isn't perfect. In a managed key situation, I think keypair auth would be more secure. By "managed" I mean, the user has no control over his authorized_keys file -- that file is overwritten by a config management system, managed by a central sysadmin team. if the user loses his key, the sysadmin changes the authorized_keys in much the same way as he would change the user's password. Thus you get the security benefits of PK auth PLUS the flexibility described in this analogy
Please, do not promote using passwords instead of keys. You *can* enforce key rotation. And keys should be locked down with passphrases in any case. A key is like a 2048-bit password protected by another password (the passphrase). What stops your vitriolic wife from installing snooping software (keylogger) on your son's phone, easily retrieving the 4-number combination?
You obviously didn't get the analogy... This is why security practitioners get the hairy eyeball from the rest of the world. While in a purely technical sense certificates are much stronger than passwords, badly implemented certificates are more swift/silent/deadly than passwords. How many organizations implement them perfectly, oh right, with the recent onslaught of hacks against them, not many.