User: Password:
Subscribe / Log in / New account

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 25, 2007 18:23 UTC (Thu) by madscientist (subscriber, #16861)
In reply to: Preventing brute force ssh attacks by nix
Parent article: Preventing brute force ssh attacks

> The closest you can get is to hack ssh-keygen so that it refuses to
> generate non-passphrased keys, and force everyone to generate new keys,
> pissing everyone off.

Of course there's no way to guarantee that someone hasn't created a key using an older version
of ssh-keygen, or a version that's been hacked back again.  If the server cannot see the
private key it _cannot_ reliably know whether it was locked or not.  And not allowing the
server to see the private key is one of the key features of PPK.

Not to mention that there are very legitimate uses for password-less login, and non-PPK
password-less login has no security at all.  If you have to have password-less login (and
sometimes you do, particular for automation purposes) then using a passphrase-less private key
can, with proper attention to detail, give you a "pretty secure" way to do it.

(Log in to post comments)

Preventing brute force ssh attacks

Posted Oct 25, 2007 21:56 UTC (Thu) by nix (subscriber, #2304) [Link]

Yeah. What I'm really interested in here is being confident that an 
intruder who steals the private key of someone with login rights to my 
system cannot use it to log in... but I suppose even passphrases won't 
help there, as if they can steal a key they can almost certainly get root 
and install a keylogger, and the passphrase is toast.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds