Your .ssh/config can handle that for you?

Sure, you could try to populate .ssh/config on every machine you ever will try to login from.

Or you could use the standard port, turn off passwords, and wait for the sun to burn out before someone brute forces their way in.

Or someone can simply own your key holding device as you sip your beverage at the local hotspot or home wifi. Simpler to go after the secret privileged client than the server.

Do you sync your ssh keys to all the machines you login from?

How do you ssh-copy-id without some allowance for passworded logins? Especially if you're doing it from such distant machines that you can't scp over a .ssh/config file.

So, I just ssh to whatever machine I need to work on, but occasionally need to rsync or scp files to/from that server.

Sure, I could have puppet push a ~/.ssh/config file everywhere, just seems more effort than it's worth. After all if a hacker wants to know if you are running ssh, it's not hard to scan all ports for ssh.

Why inconvenience yourself more than the attacker?

>Seems kinda painful

meh. Just means typing in the port in putty. Pick an easy port - 60k. I can live with that.

Right, but say you have a dozen machines you login from regularly and maybe a few 100 that you login from occasionally. You want to maintain a ~/.ssh/config on all of them?

Seems like a big inconvenience for minimal extra security. Not like scanning for all open ports that have an ssh listening is hard.

If you’re already typing in the full address for the server every time, since you don’t have an ssh config file, then is it really so much more work to additionally type the port?

Yes because I will forget to type -p 5223 at some point. If you set up a non standard port against my recommendation and I get banned for trying 22, you better be on call 24/7 for free to unban me.

If you are coming from 100s of machines, I would really hope you have your home on NFS or something anyways.