← Back to context

Comment by SoftTalker

2 years ago

A service may provision an account with a provided ssh public key, so that you never log in with a password, even once.

It's sort of a chicken-egg problem though, presumably you do have a password somewhere along the line, such as in a portal where you created your account and uploaded your public key.

5 comments

SoftTalker

Reply
alexvitkov  2 years ago

I'd say there are more valuable things you can do to improve security than solving the problem of "having to ssh in with a password one time to upload a key"

  • SoftTalker  2 years ago

    Maybe. Not having a password on the server eliminates all the risks associated with weak or leaked passwords. And then you can configure SSH to reject password logins altogether. It's not an insignificant benefit.

    • hnfong  2 years ago

      I'd say there are more valuable things you can do to improve security than solving the problem of "having to ssh in with a password one time to upload a key, then updating the config to reject password logins".

  • hedora  2 years ago

    If you can't securely ship a public key to a fresh machine, then how can you trust the software running on that machine?

    • alexvitkov  2 years ago

      SSH password login is secure. Keys are preferred since you can't have asdf1234 as a key, but if you as the initial person to set up the server are the only one allowed password login and use a decent password, you're fine