[H-GEN] brute-force ssh(s) attacks [Was: Installing a website!]

Robert Brockway rbrockway at opentrend.net
Tue Aug 9 23:40:58 EDT 2005


On Wed, 10 Aug 2005, David Jericho wrote:

> Or as Robert Brockway suggested, use the key service _with_ a solid
> passphrase.

Yes a good point.  If the passphrase is then the use of pki is no where 
near as effective.
 
> OTP has the advantage that a one-time sniff on the client you're using
> won't compromise your system, where as if someone manages to nab your
> key and passphrase, they've got access.

Still, it's difficult to get both if the user maintains some reasonable 
leve of security, such as not writing the passphrase down.  I'd like to 
emphasise for the benefit of readers that they need _both_ the private key 
and the passphrase to break in.

> Of course, this also involves some physical media (such as paper)
> containing your OTP keys. Using an application or web CGI to calculate

This is one of the reasons I don't like OTPs.  Almost everyone who uses 
them marks each one off as they use it, completely invaldating the 
security model.  Those little devices which show a rotating challenge key 
are pretty damn good though.

Cheers,

Rob

-- 
Robert Brockway B.Sc.		Phone:	+1-416-669-3073
Senior Technical Consultant	Email:	support at opentrend.net
OpenTrend Solutions Ltd.	Web:	www.opentrend.net
We are open 24x7x365 for technical support.  Call us in a crisis.




More information about the General mailing list