lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTil8WsGNKr1in7zyd9Zf1hnCUAVkMLnBk5mwAXeZ@mail.gmail.com>
Date: Thu, 17 Jun 2010 17:10:48 -0700
From: Xin LI <delphij@...il.com>
To: Paul Schmehl <pschmehl_lists@...rr.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl <pschmehl_lists@...rr.com> wrote:
> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@...il.com>
> wrote:
>
>> On FreeBSD you can probably just use the following pf.conf line to
>> block most of such attacks:
>>
>> block in quick proto tcp from any os "Linux" to any port ssh
>>
>> (Note that with this you may lose the ability to login from any Linux
>> based box including from an Android phone, etc)
>>
>> Of course it's wise to disable password authentication and just use
>> public key authentication.
>
> Why?  Ssh is encrypted, so you're not exposing a password when you login.
>  How does public key authentication make you more secure (in a practical
> sense)?

Well, I usually avoid the term "more secure" since it really depends
on the real usage and scenario.

The benefits of using public key authentication are:
 - A typical 2048 bit key pair offered much more entropy than password
average people can comfortably remember, making it practically
impossible to brute force crack.
 - It does not transfer any credential information that can be used if
being cracked.  i.e. the authentication process is some kind of
zero-knowledge proof, say, "I have the key but you won't see it"
rather than "I have the password and here it is" (*).  Password
authentications are usually just plain text over an encrypted channel.

Downsides are mostly at the human side, e.g.:
 - Survey says that many people won't encrypt their private key and
protect it properly, nor treat forward agents in a secure manner;
 - It's not quite convenient if one don't have immediate access to
their private key, i.e. a system administrator traveling without his
laptop but arguably, this case should never happen since using
passwords on untrusted system is much more dangerous.


(*) This can of course be improved, though but I am not aware of any
alternative that does not impose more restrictions.

Cheers,
-- 
Xin LI <delphij@...phij.net> http://www.delphij.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ