Quoting Jason White (jason@jasonjgw.net):
It doesn't take long to shut down ssh before editing /etc/ssh/sshd_config to set PasswordAuthentication no.
Personally, I wouldn't even do that. (In fact, I don't do it.)
The PAM details mentioned upthread prevent non-root users from using trivially guessable 'joe account' passwords. Once those are out of the picture, guessing just isn't a credible threat.
I'm glad to hear someone else say that.
Stolen credentials, by contrast, are -- and both passwords and keypairs can be equally easily stolen on a compromised host and then used to impersonate users in connection sessions to elsewhere.
For us know-it-all IT types that might be true, but many people use the same username and password _everywhere_, so it is far more likely to have a username/password combination stolen than a key and I wouldn't say "equally easily stolen". There's a scam going around that involves smsing the stolen username and password back to the user... I'm not sure exactly how the scam works (or even if I am correct in calling it a scam) but I have spoken to someone who has had this happen to them, and it seems to be happening to others as well http://whocallsme.com/Phone-Number.aspx/0458702000 (that's the same number as the person I spoke to). I wonder if the sms-back is a way of getting confirmation of the credentials before trying them (eg waiting for a response like "wtf hw did u no my pass?!1!?1?"). Or maybe it's a whitehat letting people know that they have access to a username, password, and mobile number. James