On Wed, Nov 15, 2006 at 09:04:08PM -0600, Nate Bargmann wrote: > > Is using only version 2 public key authentication not possible? I'm > just learning ssh, so maybe I'm misled thinking that is less vulnerable > to a brute force attack. >
Whether or not just using ssh2 with public keys is possible depends greatly on his requirements and his users. If the users can be convinced or trained to use keys, then it is by far the best way to go. However, users must be taught about proper key discipline, including things like having good passphrases on keys (something which I did not do for a long time) and having different keys for different hosts. Restricting access to only key-based logins makes a brute force attack a practical impossibility. However, the concern becomes that someone can compromise a user's key. Now, the possibility that a key is compromised is dramatically less than that of a password getting brute forced. That is because the adversary must gather quite a bit of intelligence (i.e., identify one or more users of the target system) and then somehow compromise that user's computer(s) and he associated key passphrase. That is not impossible, but neither is it a small task. That is what makes keys-based logins (espcially with password logins completely disabled) so nice. It greatly diminishes your attractiveness as a target. Regards, -Roberto -- Roberto C. Sanchez http://people.connexer.com/~roberto http://www.connexer.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
