Protecting SSH from brute force attacks
amf at hobbit.neveragain.de
Mon Oct 11 01:10:03 PDT 2004
On Sun, Oct 10, 2004 at 04:45:26PM -0400, Matt Juszczak wrote:
> Isn't it hard (and sort of more insecure) to use the keys?
Why that? Start an agent together with your login session, have it load
the key(s) (after you've entered the holy passphrase(s), of course) and
you're set to go. Simply 'ssh foo' and you're logged in.
> For instance, anyone who gets access to your home dir would be able to
> get the keys for all your servers....
True, but that's why they're protected by a passphrase (which is
symmetric encryption, i.e. you can change it without having to tell your
servers about it).
> I'm just kind of confused on how the keys could be much more secure
> than passwords.
Well, a password works from everywhere and can be brute-forced. Or
someone might get to know it via others means, hacking one of your
target hosts for example (the password is sent over the wire when
you log in!).
If someone compromises a target host and you use public keys, the
attacker only gains your public key. Which he can have. ;)
OTOH your point is valid, of course. But when someone is in control
of your machine, he might intercept your password anyway...
More information about the freebsd-questions