| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Jun 2010 17:10:48 -0700 From: Xin LI <delphij@...il.com> To: Paul Schmehl <pschmehl_lists@...rr.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: targetted SSH bruteforce attacks On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl <pschmehl_lists@...rr.com> wrote: > --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@...il.com> > wrote: > >> On FreeBSD you can probably just use the following pf.conf line to >> block most of such attacks: >> >> block in quick proto tcp from any os "Linux" to any port ssh >> >> (Note that with this you may lose the ability to login from any Linux >> based box including from an Android phone, etc) >> >> Of course it's wise to disable password authentication and just use >> public key authentication. > > Why? Ssh is encrypted, so you're not exposing a password when you login. > How does public key authentication make you more secure (in a practical > sense)? Well, I usually avoid the term "more secure" since it really depends on the real usage and scenario. The benefits of using public key authentication are: - A typical 2048 bit key pair offered much more entropy than password average people can comfortably remember, making it practically impossible to brute force crack. - It does not transfer any credential information that can be used if being cracked. i.e. the authentication process is some kind of zero-knowledge proof, say, "I have the key but you won't see it" rather than "I have the password and here it is" (*). Password authentications are usually just plain text over an encrypted channel. Downsides are mostly at the human side, e.g.: - Survey says that many people won't encrypt their private key and protect it properly, nor treat forward agents in a secure manner; - It's not quite convenient if one don't have immediate access to their private key, i.e. a system administrator traveling without his laptop but arguably, this case should never happen since using passwords on untrusted system is much more dangerous. (*) This can of course be improved, though but I am not aware of any alternative that does not impose more restrictions. Cheers, -- Xin LI <delphij@...phij.net> http://www.delphij.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists