[nycbug-talk] Analyzing malicious SSH login attempts

[Trish Lynch]

On Tue, 12 Sep 2006, Jeff Quast wrote:

> On 9/12/06, csnyder <chsnyder at gmail.com> wrote:
>>>
>>> I am also curious.. where do we draw the line and just *trust* our OS?
>>>
>
>
> I just felt the need to reply to the line that this is OpenSSH's
> responsability to deal with. It made me mad. They do a great job
> dealing with this issue in the place it is meant to be dealt with.
>

I 100% disagree with this, since OpenSSH is in fact partially responsible 
for handling the connection and authenticating it, including keys... if 
its failed to authenticate within OpenSSH, its not any other program or 
tool's responssibility to handle it. IMO you've got it 100% wrong... but 
then we can agree to disgaree on this. If OpenSSH wasn;t handling part of 
the auth layer, I'd agree, but since it does, inclduing what kind of auth 
you use (key or password) it needs to work for both password and key based 
auth. OpenSSH is the place to gracefully handle this without having to 
implement a specific firewall to make it work.


> Password authentication should only be used once to add your public
> key to authorized_keys file anyway. I dont even know most of the
> passwords for my SSH accounts :0, they are too hard to remember, much
> less guess.

That I'd agree on, but remember you can have failed key attempts as well, 
while brute forcing keys is difficult, remember that its not impossible to 
crack lesser key auths.... one of these days its going to work. Besides 
connection based attacks aren;t always based on authentication.... you can 
tie up resources by spamming key based auth failures.

-Trish


> _______________________________________________
> % NYC*BUG talk mailing list
> http://lists.nycbug.org/mailman/listinfo/talk
> %Be sure to check out our Jobs and NYCBUG-announce lists
> %We meet the first Wednesday of the month
>

-- 
Trish Lynch					   trish at bsdunix.net
Key fingerprint = 781D 2B47 AA4B FC88 B919  0CD6 26B2 1D62 6FC1 FF16