Re: using PubkeyAuthentication, still getting dictionary attacks!



"MH" == Michael Heiming <michael+USENET@xxxxxxxxxxxxxx> writes:

MH> In comp.security.ssh Nomen Nescio <nobody@xxxxxxxxx>:
>> "Richard E. Silverman" <res@xxxxxxxx> wrote:

NN> Of course I know that ... what I mean is, can't the bot tell that
NN> the server only takes key authentication?

NN> What's the bot trying to send me, random big numbers?

>>> No, it's likely still trying password authentication. The
>>> SSH-AUTH protocol allows a client to try any authentication method
>>> it likes at any point, regardless of whether the server accepts
>>> it. The attack program in question probably just connects and
>>> tries passwords, without bothering to notice whether password
>>> authentication is even supported.

>> Now I see! My "normal" ssh client doesn't give me a paswsord option
>> because the server has told it not to bother.

MH> Not exactly, your client asks the sshd for key authentication
MH> before password authentication if this succeeds, there is no need
MH> for any other authentication, you are already logged in.

MH> You can see this if you just try 'ssh -vvv remotehost'.

It may or may not do this; it depends on the method order defined in the
client configuration with PreferredAuthentications.

MH> debug1: Authentications that can continue:
MH> publickey,password,keyboard-interactive
MH> ^^^^^^^^^

MH> As first.

This is actually irrelevant. The client is showing methods supported by
the server, in the order in which the server happens to list them. It
does not actually show the order in which it will try them. Play with
PreferredAuthentications a bit and you will see this.

--
Richard Silverman
res@xxxxxxxx

.



Relevant Pages

  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    (Full-Disclosure)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)
  • Re: Basic Authentication + IIS 5 + Windows 2000 + Frontpage 2002 = failure?
    ... SYSTEM account. ... In IIS I took the virtual server that I was testing, ... Authentication premise. ... From a website perspective, I ...
    (microsoft.public.inetserver.iis.security)
  • Re: Remote Web Workplace Issues-Please help!
    ... Open the Server Management Console, ... client after Authentication" right. ... permissions, and Microsoft Windows user rights according to the KB 812614. ... Download the IIS Resource Kit tools from the following page: ...
    (microsoft.public.windows.server.sbs)
  • Need help configuring Wireless Connection profile
    ... I have an SBS 2003 server and a Server 2003 member server set up using RADIUS ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 PEAP ... Certificate Services ...
    (microsoft.public.windowsxp.general)