The concept of using public/private keys to bypass password entry requirements always sounds good in theory, but my security conscious would never allow me to do so, on the fear that someone who has access to one server can serially access the rest of your server installations.
I do use public key crypto for certain things, like having a separate Subversion user/key so I’m not prompted for a password when I’m committing code.
I always thought, why can’t we have both public key and password authentication on an account? I knew there were patches to make that happen, but who wants to deal with patches every time openssh is updated?
The latest version of openssh (6.2) has answered my prayers. You can enable the requirement that the public key be valid AND that the user authenticates with a password. Add the following line to your ‘sshd_config’ file:
AuthenticationMethods publickey,password publickey,keyboard-interactive
I highly encourage all sysadmin to enable this. I used to watch my system logs getting blasted on a daily basis from brute force guessing on my sshd daemon, but it comforts me greatly to know hackers aren’t even getting a chance to brute force passwords unless they have the proper public key:
error: Received disconnect from a.b.c.d: 11: Bye Bye [preauth] : 2460 time(s)
error: Received disconnect from e.f.g.h: 11: Bye Bye [preauth] : 1428 time(s)
Those requests were rejected before even getting a chance to authenticate. I still get prompted for a password from my main computer so there’s not an open link to my servers from this computer. Also, you can selectively enable ‘disable’ the password requirement for certain accounts. I added the following lines to ‘sshd_config’ as well:
Match User subversion_user
AuthenticationMethods publickey
This allows the ‘subversion_user’ (a limited access user) to authenticate ONLY with the public key and not be prompted for a password.