[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need help with openssh attack



On Thu, Dec 29, 2011 at 04:39:24PM +0100, Kees de Jong wrote:
> I guess I already pointed out everything. I added the updating part to it.
> 
> * Use private not public keys with strong passwords

This doesn't make any sense at all.  You need both private and public
keys for key-based authentication, and it's very important that you
recognize the difference between the two.

Also, one of the real problems with ssh key authentication is that
there's no way to enforce a strong password policy on the private keys.
Plenty of times I've seen an otherwise secure host compromised when a
user did something silly like drop their passwordless private key in
their public_html folder.

noah

Attachment: signature.asc
Description: Digital signature


Reply to: