Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Exactly: I don't think it's doable, although I sort of wish it was. The closest you can get is
to hack ssh-keygen so that it refuses to generate non-passphrased keys, and force everyone to
generate new keys, pissing everyone off.
Preventing brute force ssh attacks
Posted Oct 25, 2007 18:23 UTC (Thu) by madscientist (subscriber, #16861)
> The closest you can get is to hack ssh-keygen so that it refuses to
> generate non-passphrased keys, and force everyone to generate new keys,
> pissing everyone off.
Of course there's no way to guarantee that someone hasn't created a key using an older version
of ssh-keygen, or a version that's been hacked back again. If the server cannot see the
private key it _cannot_ reliably know whether it was locked or not. And not allowing the
server to see the private key is one of the key features of PPK.
Not to mention that there are very legitimate uses for password-less login, and non-PPK
password-less login has no security at all. If you have to have password-less login (and
sometimes you do, particular for automation purposes) then using a passphrase-less private key
can, with proper attention to detail, give you a "pretty secure" way to do it.
Posted Oct 25, 2007 21:56 UTC (Thu) by nix (subscriber, #2304)
Yeah. What I'm really interested in here is being confident that an
intruder who steals the private key of someone with login rights to my
system cannot use it to log in... but I suppose even passphrases won't
help there, as if they can steal a key they can almost certainly get root
and install a keylogger, and the passphrase is toast.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds