INTL 3:770/1 3:770/3   
   REPLYADDR cl@isbd.net   
   REPLYTO 3:770/3.0 UUCP   
   MSGID:  3cca3c1e   
   REPLY:  03545b6f   
   PID: SoupGate-Win32 v1.05   
   Theo  wrote:   
   > Chris Green  wrote:   
   >   
   > > I *could* generate a separate key for every remote and force it to ask   
   > > for the key every time I log in but that adds extra hassle every time   
   > > I add or change a remote system.   
   >   
   > Asking for the passphrase is no more complex than asking for a password,   
   > surely?   
   >   
   > > Using the default (ssh password authentication) means that I have no   
   > > extra configuration required to either default or local system **and**   
   > > no on can casually walk up to desktop or laptop and get a login to a   
   > > remote.   
   >   
   > Even if you change nothing on the server end, it's still good to use keys   
   > where you can.  If you never send the password there's nothing to keylog or   
   > phish.  You could even unset your password so password auth will never   
   > succeed.  But it's only a one line change in /etc/ssh/sshd_config to disable   
   > password auth altogether.   
   >   
   I don't disagreee with what you're saying but there's a load of   
   configuration to do it all if, as is often the case, I'm rebuilding a   
   Raspberry Pi for example.   
      
   "If you never send the password there's nothing to keylog or   
   phish"  Ay?  If there's a keylogger on your system it doesn't care   
   whether you're typing a password or a key.  If it's logging what's   
   sent over the wire then it's encrypted.   
      
   You **have** to start with password authentication so it's inevitably   
   there when you start with your headless Pi.  Everything more to move   
   to one key per remote system is extra hassle which I have to repeat   
   when I rebuild the Pi (which can be quite frequently, e.g. two or   
   three times in a week).   
      
   So generate key (OK, that's only once per physical system), copy the   
   key to the remote using ssh-copy-id.  Then go to the remote and edit   
   /etc/ssh/sshd_config, then reboot and check it all works.  Not a load   
   of work but enough to be a bit of a pain, plus I like to record   
   configuration changes (like the sshd_config one).   
      
      
   --   
   Chris Green   
   ·   
      
   --- SoupGate-Win32 v1.05   
    * Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)   
   SEEN-BY: 10/0 1 15/0 90/1 103/705 105/81 106/201 128/260 129/305 135/225   
   SEEN-BY: 153/757 7715 218/0 1 601 700 840 870 930 220/70 221/1 6 226/17   
   SEEN-BY: 226/30 100 227/114 229/110 112 113 200 206 307 317 400 426   
   SEEN-BY: 229/428 470 550 616 664 700 240/1120 266/512 267/800 282/1038   
   SEEN-BY: 291/111 292/854 301/1 113 812 310/31 320/219 322/757 335/364   
   SEEN-BY: 341/66 342/200 396/45 460/58 633/280 712/848 770/1 3 100   
   SEEN-BY: 770/330 340 772/210 220 230 5020/400 1042 5058/104 5075/35   
   PATH: 770/3 1 218/840 221/6 301/1 218/700 229/426