On Thu, 9 Jun 2005, Marty wrote: > Regarding PKI, are there any Debian or non-Debian packages you recommend
Hi Marty. The ssh related packages in Debian contain everything you need. > for this use? Can you elaborate on your reasoning here, for a > non-expert in security, or at least point to some links? I am > particularly interested in why you think PKI is better than the plain > ssh password/login procedure for this application, and how you keep your Password access is highly susceptible to a brute force attack where the attack just cycles usernames and passwords. Breaking in using a method like this isn't as hard as it first sounds as most people use fairly easily guessed usernames (eg, first names) and passwords. I regularly see attackers try this on my ssh daemons that don't accept password authentication :) PKI makes things much more difficult. An attacker would need both your private key and your passphrase to gain entry. Brute forcing an ssh daemon that only accepts PKI access is an intractable problem. > keys secure (i.e. thumb drive? Floppy? Theft issues?) All of the hosts I have private keys for are under my control or my companies' control. We have some clients that move around a lot and they do need keep their private keys on a usb drive. As with everything in security some risk is always involved. A hosts administrator may be sniffing keystrokes to get your passphrase and they may be automatically nabbing any private keys they see - but in reality this is not likely. If you think a machine is not safe don't ssh from it. Cheers, Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
