lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4C1FB967.3060100@extendedsubset.com>
Date: Mon, 21 Jun 2010 14:11:35 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: Paul Schmehl <pschmehl_lists@...rr.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: targetted SSH bruteforce attacks

On 6/17/2010 3:21 PM, Paul Schmehl wrote:
> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij@...il.com> wrote:
>>
>> Of course it's wise to disable password authentication and just use
>> public key authentication.
> 
> Why?  Ssh is encrypted, so you're not exposing a password when you login.  How 
> does public key authentication make you more secure (in a practical sense)?

In the case of SSH password auth you are handing the plaintext password
directly to any server you log in to. For many of us, this is basically
any time we're expecting to contact that server for the first time from
that client machine. For users who are willing to bypass a server key
mismatch warning, they may be giving away their password every time.

I know there's somebody out there who always verifies server
fingerprints through an independent trusted channel before accepting
them. I would like to meet this person.

Often the same password is used on multiple systems (e.g.
kerberos/active directory).

However, if the client is configured to only use public key auth,
accidentally connecting to a malicious server does not automatically
give the bad guy your plaintext password.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ