Full Disclosure mailing list archives
Re: targetted SSH bruteforce attacks
From: Marsh Ray <marsh () extendedsubset com>
Date: Mon, 21 Jun 2010 14:11:35 -0500
On 6/17/2010 3:21 PM, Paul Schmehl wrote:
--On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delphij () gmail com> wrote:Of course it's wise to disable password authentication and just use public key authentication.Why? Ssh is encrypted, so you're not exposing a password when you login. How does public key authentication make you more secure (in a practical sense)?
In the case of SSH password auth you are handing the plaintext password directly to any server you log in to. For many of us, this is basically any time we're expecting to contact that server for the first time from that client machine. For users who are willing to bypass a server key mismatch warning, they may be giving away their password every time. I know there's somebody out there who always verifies server fingerprints through an independent trusted channel before accepting them. I would like to meet this person. Often the same password is used on multiple systems (e.g. kerberos/active directory). However, if the client is configured to only use public key auth, accidentally connecting to a malicious server does not automatically give the bad guy your plaintext password. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: targetted SSH bruteforce attacks, (continued)
- Re: targetted SSH bruteforce attacks Samuel MartÃn Moro (Jun 17)
- Re: targetted SSH bruteforce attacks yersinia (Jun 23)
- Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 23)
- Re: targetted SSH bruteforce attacks Cody Robertson (Jun 23)
- Re: targetted SSH bruteforce attacks Samuel MartÃn Moro (Jun 17)
- Re: targetted SSH bruteforce attacks Paul Schmehl (Jun 17)
- Re: targetted SSH bruteforce attacks John Jacobs (Jun 17)
- Re: targetted SSH bruteforce attacks Xin LI (Jun 17)
- Re: targetted SSH bruteforce attacks Valdis . Kletnieks (Jun 18)
- Re: targetted SSH bruteforce attacks Marsh Ray (Jun 21)
- Message not available
- Re: targetted SSH bruteforce attacks Marc Olive (Jun 22)
- Re: targetted SSH bruteforce attacks bugs (Jun 26)
- Re: targetted SSH bruteforce attacks Sebastian Rother (Jun 17)
- Re: targetted SSH bruteforce attacks Thor (Hammer of God) (Jun 17)
- Re: targetted SSH bruteforce attacks BMF (Jun 17)
- Re: targetted SSH bruteforce attacks Gary Baribault (Jun 18)