I have a client who wants to transfer his data from his laptop to his desktop at the branch office, all using ssh (he used ssh-keygen -t rsa, so I am assuming--maybe wrongly--that it was ssh2). One of my colleagues helped him set everything up, but could not get the transfer automated without removing the password on his ssh key. I told him that he was required to use a password because the transfer occurs across the public internet, but I wasn't able to explain *why* in a convincing way. My understanding is that anyone obtains the public key would have login privileges (indeed, the private key as well) as that person and could impersonate him anywhere where that key was used. But, how would someone obtain that public key? I thought the ssh2 negotation itself was temporarily encrypted.
Is it safe to use a passwordless public key across the Internet. Can it be made safe?
Thanks in advance,