Which authenttication is better

From: Shing-Fat Fred Ma (fma@doe.carleton.ca)
Date: 11/23/02 

From: Shing-Fat Fred Ma <fma@doe.carleton.ca>
Date: 23 Nov 2002 07:27:02 GMT

Hello,

I've been reading the OpenSSH_3.5p1 man
pages til I'm "blue in the face" as it was put.
And googling til I'm blue everywhere else.

#1:
Using protocol 2, am I to understand from the
man page that public key authentication is the
preferred way?

#2:
They also say that "the
hostbased method" of protocol 1 is tried first,
but there are two "host" based methods. I
assume the obvious, that the one using
*known_hosts is used because the other one
is not secure (the one relying only on *hosts.equiv
or .[rs]hosts). Is this right?

#3:
Why would "the hostbased methods" be tried
before public key authentication? It seems like
the latter is more secure.

#4:
I was presented with the server host's RSA
fingerprint to say "yes" or "no" to. To check
this fingerprint, I tried

    $ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub
       ssh_host_rsa_key.pub is not a public key file.
    $ ssh -l -f /etc/ssh/ssh_host_key.pub
       SPAT_OUT_A_KEY_FINGERPRINT

Which file is right one? I presumed the 1st one.
The fingerprint from the 2nd one didn't match
what I was presented.

#5:
Because of the error from the 1st keygen command,
I assumed it was commercial ssh format and tried:

    $ ssh-keygen -i -f /etc/ssh/ssh_host_rsa_key.pub

It turns out that the file is not readable by
common users. Should it be, for the
purposes of extracting the fingerprint, which
in turn is for the purpose of confirming the
server host?

Thanks 

-- 
Fred Ma, fma@doe.carleton.ca
Carleton University, Dept. of Electronics
1125 Colonel By Drive, Ottawa, Ontario
Canada, K1S 5B6