Re: HEAD's UP: possible 0day SSH exploit in the wild
Jim Popovitch wrote:
> > ALLOW rules and SSH-keys.
>
> Is there a way to force keys AND passwd verification?
Normally you'd want to DISABLE PasswordAuthentication and ChallengeResponseAuthentication - unless you have a special and well-maintained setup like e.g. One-Time-Pads or such - because both can potentially be brute-forced way faster than SSH-keys..unless you happen to use a key generated with one of those "funny" buggy random-sources from the past, in which case a well-maintained sshd nowadays will simply reject your key.
Something that would indeed be interesting is a way to enforce that the PRIVATE KEY is password-protected - sadly, you can't see this from the public key, and I'm not aware of any possibility to query the client concerning this specific matter.
Sebastian
--
baboo
--
Neu: GMX Doppel-FLAT mit Internet-Flatrate + Telefon-Flatrate
für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02
Reply to: