Posted Mar 6, 2007 18:53 UTC (Tue) by bronson
In reply to: Bad Security
Parent article: Single Packet Authorization (Linux Journal)
Requiring private keys does ensure a dictionary attack could not succeed. Perhaps why it doesn't see more widespread use:
- it is notoriously difficult to set up right. Admins tend to half-ass it (lack of time or understanding) and end up producing the equivalent of a shared-root setup.
- it requires more maintenance. On busy sites (think sourceforge), just the day-to-day key management would require at least one full time employee.
- it doesn't stop /var/log/auth.log from growing by 4MB/day.
Don't get me wrong: I run all my sshds with mandatory private keys for this very reason. And I also use port knocking! Use the right tool for the job.
to post comments)