Re: Darn skiddies (ssh login attempts)
On Fri, Apr 01, 2005 at 11:43:07AM -0800, Chris Adams wrote:
There's no difference between the two as regards policy - it's a
one-line command to change either a password or key,
There's no difference? All of the tools to automatically expire
passwords at a given interval, mandate minimum complexity in passwords,
and then centralize all of that policy exist in a simple plug-and-play
form on a typical debian install? Do tell. Some (not all) of these
things are doable, some aren't even that hard, but they are not widely
deployed or even considered.
both, etc. - and it's still game-over if the user's client is trojaned.
Not entirely. With passwords there's the important requirement that a
password actually be sent through a compromised machine. With private
keys, you're in trouble if any machine that the user happened to leave
the key on gets compromised. It's not uncommon for users to leave keys
all over the place--and you'll never know since you have essentially
zero control over the private key.
The two advantages to keys are the fact that a key doesn't get sent to
the remote host (preventing the sort of collection attacks are becoming
common on large networks)
The key doesn't get sent but the key might be on a compromised host.
It's a draw there.
and that a key is effectively longer than a password, making a direct
brute-force attack impossible and protecting you somewhat from casual
attacks against weak passwords:
Password complexity mandates prevent casual attacks against weak
passwords also. How do you prevent weak rsa key passwords?
Mike Stone
Reply to: