User: Password:
Subscribe / Log in / New account

Preventing brute force ssh attacks

Preventing brute force ssh attacks

Posted Oct 30, 2007 16:31 UTC (Tue) by droundy (subscriber, #4559)
In reply to: Preventing brute force ssh attacks by madscientist
Parent article: Preventing brute force ssh attacks

> Of course the protocol could just include that information in the request but that's
> completely useless as a security precaution, because the attacker just needs to tweak his
> client code to always say that the key was passphrased, even if it wasn't.

Actually, this sounds very reasonable to me: the point of refusing access to passphraseless
keys isn't to protect from an attacker, but to protect from a lazy user, who doesn't want to
type his passphrase.  This wouldn't protect from sophisticated lazy users, but those lazy
users will probably realize it's easier to run an ssh-agent than to compile a modified ssh
client.  But this would prevent the stupid lazy user from logging in with his/her
passphraseless key, which ought to gain something.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds