passwordless ssh from laptop

[Karl Auer]

On Mon, 2016-12-26 at 09:35 +0000, Colin Law wrote:
> On 26 December 2016 at 06:26, Karl Auer <kauer at biplane.com.au> wrote:
> > ssh logins without passwords should be used only for strictly
> > limited purposes, such as backups. Always use extra security, such
> > as IP address restrictions or command restrictions. Ideally, don't
> > use passwordless logins at all.
> > 
> > Also, read this: http://biplane.com.au/blog/?p=426
> That link does not appear to agree with your contention that one
> should not allow access via keys, finishing with the comment:
> "By the way, if you think your password is safe because it is
> complicated or unusual – you are probably wrong. Use publickey only,
> and protect your keys with long, strong passphrases."

In my message, "logins without passwords" is used in the context of
turning off password authentication and using publickey access instead.
So I should have used "passphrase", not "password".

I should have written:

"Logging in using an ssh key that has no passphrase should be done only
for strictly limited purposes, such as backups. Always use extra
security, such as IP address restrictions or command restrictions.
Ideally, don't use ssh keys without passphrases at all."

I would hope that it is obvious to all that having logins without
*passwords* is insane. You can protect against insane people using ssh
by turning off password authentication completely as discussed, or, if
for some reason you need to retain password logins, you can forbid
blank passwords being accepted by ssh by putting this in
/etc/ssh/sshd_config:

   PermitEmptyPasswords no

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4