Date: Mon, 11 Oct 2004 10:09:56 +0200 From: Dennis Koegel <amf@hobbit.neveragain.de> To: Matt Juszczak <matt@atopia.net> Cc: Luke <luked@pobox.com> Subject: Re: Protecting SSH from brute force attacks Message-ID: <20041011080956.GA25514@neveragain.de> In-Reply-To: <20041010164426.Y57852@scruffy.atopia.net> References: <Pine.NEB.4.60.0410071514530.27025@mx.freeshell.org> <20041008072454.GB16547@neveragain.de> <20041010164426.Y57852@scruffy.atopia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 10, 2004 at 04:45:26PM -0400, Matt Juszczak wrote: > Isn't it hard (and sort of more insecure) to use the keys? Why that? Start an agent together with your login session, have it load the key(s) (after you've entered the holy passphrase(s), of course) and you're set to go. Simply 'ssh foo' and you're logged in. > For instance, anyone who gets access to your home dir would be able to > get the keys for all your servers.... True, but that's why they're protected by a passphrase (which is symmetric encryption, i.e. you can change it without having to tell your servers about it). > I'm just kind of confused on how the keys could be much more secure > than passwords. Well, a password works from everywhere and can be brute-forced. Or someone might get to know it via others means, hacking one of your target hosts for example (the password is sent over the wire when you log in!). If someone compromises a target host and you use public keys, the attacker only gains your public key. Which he can have. ;) OTOH your point is valid, of course. But when someone is in control of your machine, he might intercept your password anyway... - D.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041011080956.GA25514>