Re: bruteforce ssh

From: Ertugrul Soeylemez (never_at_drwxr-xr-x.org)
Date: 10/28/05

• Next message: joshthree: "ssh authorized_key working for user, but not for root"
• Previous message: Richard E. Silverman: "Re: bruteforce ssh"
• In reply to: Richard E. Silverman: "Re: bruteforce ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Oct 2005 10:24:55 +0200

"Richard E. Silverman" <res@qoxp.net> (28 Oct 2005 02:23:25 -0400):
> ES> Use another authentication scheme than passwords. I recommend
> ES> public key authentication. This doesn't only make bruteforce
> ES> attacks impossible
>
> Well, impractical. :)

Let's call it 'practically impossible'. =P

> ES> but also man in the middle attacks.
>
> It's worth noting that the SSH transport protocol already provides the
> client MITM resistance -- and since the transport protocol normally
> encapsulates the authentication protocol, this protection applies
> regardless of the user authentication method employed (providing the
> requirements of the particular key exchange are met, e.g. the hostkey is
> properly verified). The publickey userauth method simply adds another
> instance of MITM protection, this time for the server.

Both ends are vulnerable until the first client connection has been
made. Also as you stated, MITM-resistance is only on the client side.
Someone can still hijack the channel from server to client, and that's
bad. Even if Mallory couldn't manipulate anything, he's still able to
sniff silently.

-----
Public key "Ertugrul Soeylemez <never@drwxr-xr-x.org>" (id: CE402012)
Fingerprint: 0F12 0912 DFC8 2FC5 E2B8 A23E 6BAC 998E CE40 2012

HKP: hkp://subkeys.pgp.net/
LDAP: ldap://keyserver.pgp.com/
HTTP: http://www.keyserver.de/

• application/pgp-signature attachment: stored

• Next message: joshthree: "ssh authorized_key working for user, but not for root"
• Previous message: Richard E. Silverman: "Re: bruteforce ssh"
• In reply to: Richard E. Silverman: "Re: bruteforce ssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: WCF security advice (and clarification) needed ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ... (microsoft.public.dotnet.framework.webservices) Re: Aironet 1200/Radius Help Needed ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ... (microsoft.public.internet.radius) Re: Windows Authentication, Single sign on and Active Directory ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ... (microsoft.public.dotnet.framework.aspnet.security) Re: Outlook -> remote exchange -> always wants a password ... I have my server set to use Integrated Windows authentication over SSL. ... almost certainly "break" your existing users if the client setup does not ... Close out of these configuration dialogs, ... (microsoft.public.windows.server.sbs) Re: Aironet 1200/Radius Help Needed ... I just fired up a W2003 Advanced Server so that I can take ... > IAS servers (do I need a separate certificate for the secondary IAS ... > of authentication since it involves just installing the certificate on ... between the AP and the client. ... (microsoft.public.internet.radius)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint