On 8/3/11 4:47 AM, Ondrej Valousek wrote:
Maybe stupid question, but I have to ask:
If you only work in a single administrative domain, this is fine. I am constantly accessing systems all over the US, and internationally, and the use of ssh-key-based authentication allows me to do this without continuous password prompts. In fact, on many of the systems I can *only* access them by ssh-key. Being able to hold those keys in central keystore like FreeIPA with a single passphrase, and the ability for an administrator to reset that passphrase, is very desirable for me and for the other users of the systems I'm a part of. Resetting key-based access control if the private key passphrase is lost is always a nuisance.