LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 30, 2007 16:31 UTC (Tue) by droundy (subscriber, #4559)
In reply to: Preventing brute force ssh attacks by madscientist
Parent article: Preventing brute force ssh attacks 

> Of course the protocol could just include that information in the request but that's
> completely useless as a security precaution, because the attacker just needs to tweak his
SSH
> client code to always say that the key was passphrased, even if it wasn't.

Actually, this sounds very reasonable to me: the point of refusing access to passphraseless
keys isn't to protect from an attacker, but to protect from a lazy user, who doesn't want to
type his passphrase.  This wouldn't protect from sophisticated lazy users, but those lazy
users will probably realize it's easier to run an ssh-agent than to compile a modified ssh
client.  But this would prevent the stupid lazy user from logging in with his/her
passphraseless key, which ought to gain something.

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds