[H-GEN] brute-force ssh(s) attacks [Was: Installing a website!]
Robert Brockway
rbrockway at opentrend.net
Tue Aug 9 23:40:58 EDT 2005
On Wed, 10 Aug 2005, David Jericho wrote:
> Or as Robert Brockway suggested, use the key service _with_ a solid
> passphrase.
Yes a good point. If the passphrase is then the use of pki is no where
near as effective.
> OTP has the advantage that a one-time sniff on the client you're using
> won't compromise your system, where as if someone manages to nab your
> key and passphrase, they've got access.
Still, it's difficult to get both if the user maintains some reasonable
leve of security, such as not writing the passphrase down. I'd like to
emphasise for the benefit of readers that they need _both_ the private key
and the passphrase to break in.
> Of course, this also involves some physical media (such as paper)
> containing your OTP keys. Using an application or web CGI to calculate
This is one of the reasons I don't like OTPs. Almost everyone who uses
them marks each one off as they use it, completely invaldating the
security model. Those little devices which show a rotating challenge key
are pretty damn good though.
Cheers,
Rob
--
Robert Brockway B.Sc. Phone: +1-416-669-3073
Senior Technical Consultant Email: support at opentrend.net
OpenTrend Solutions Ltd. Web: www.opentrend.net
We are open 24x7x365 for technical support. Call us in a crisis.
More information about the General
mailing list