Reply to "Safer Access without Passwords, Linux Journal Jul 06, 2011

“How do you make sure that your passwords are safe? You can make them longer, complicate them by adding odd characters, making sure to use different passwords for each user account that you have. Or, you can simply skip them all together.

When logging into a remote machine through ssh, you are usually prompted with the remote user's password. An alternative to this is to use an asymmetric key pair.”

Using One Time Passwords with SSH
Andrew Stringer's picture
Submitted by Andrew Stringer (not verified) on Fri, 07/08/2011 - 04:57.

I agree with many of the points above, passwords on their own can be sniffed if a keylogger 
is on the machine you are attempting access
from. Having and ssl key with a passphrase is an improvement, but the key has to be 
processed on the potentially compromised computer
and the passphrase can be recorded just as easily as a password by a keylogger.

I have started to us one time paswords with a pam module called Barada. 
This uses your android phone as a passphrase generator, secured with a PIN.
Your login application, either ssh or other needs to support pam of course, on the 
target machine, you register users and create a seed which is copied to the phone app. 
To log in, you enter a PIN in to the phone app which creates a 6digit passphrase which 
is entered in place of your password. This is time limited to approx a 2 minute window.
If this passphrase is logged, it is of no consequence as it is not valid for reuse.

As far as I can see, this represents the best combination of security.