Re: using PubkeyAuthentication, still getting dictionary attacks!

"MH" == Michael Heiming <michael+USENET@xxxxxxxxxxxxxx> writes:

MH> In Nomen Nescio <nobody@xxxxxxxxx>:
>> "Richard E. Silverman" <res@xxxxxxxx> wrote:

NN> Of course I know that ... what I mean is, can't the bot tell that
NN> the server only takes key authentication?

NN> What's the bot trying to send me, random big numbers?

>>> No, it's likely still trying password authentication. The
>>> SSH-AUTH protocol allows a client to try any authentication method
>>> it likes at any point, regardless of whether the server accepts
>>> it. The attack program in question probably just connects and
>>> tries passwords, without bothering to notice whether password
>>> authentication is even supported.

>> Now I see! My "normal" ssh client doesn't give me a paswsord option
>> because the server has told it not to bother.

MH> Not exactly, your client asks the sshd for key authentication
MH> before password authentication if this succeeds, there is no need
MH> for any other authentication, you are already logged in.

MH> You can see this if you just try 'ssh -vvv remotehost'.

It may or may not do this; it depends on the method order defined in the
client configuration with PreferredAuthentications.

MH> debug1: Authentications that can continue:
MH> publickey,password,keyboard-interactive
MH> ^^^^^^^^^

MH> As first.

This is actually irrelevant. The client is showing methods supported by
the server, in the order in which the server happens to list them. It
does not actually show the order in which it will try them. Play with
PreferredAuthentications a bit and you will see this.

Richard Silverman