LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 20:00 UTC (Thu) by njs (guest, #40338)
In reply to: Preventing brute force ssh attacks by nix
Parent article: Preventing brute force ssh attacks 

>at worst passphrased keys are as insecure as passwords

Not true, unfortunately -- standard passwords can be (in practice) perfectly protected against
guessing attacks by using rate-limiting; there's no way to rate-limit attempts to guess a
compromised key's decryption passphrase.

Whether one cares or not is another matter (most of us are unlikely to be facing attackers who
are willing to spend the necessary time to crack a decent passphrase in any case, and
keyloggers and memory scanners are going to remain much cheaper and easier ways to get at
decrypted keys), but there are tradeoffs.

(Log in to post comments)

Preventing brute force ssh attacks

Posted Oct 25, 2007 22:14 UTC (Thu) by nix (subscriber, #2304) [Link] 

Hm. Interesting.

Of course the passphrase can be much stronger than a password (since you 
only need to type it in once in a blue moon thanks to ssh-agent), but even 
so, that's food for thought...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds