OpenSSH daemon security bug?
Jefferson Ogata
Jefferson.Ogata at noaa.gov
Wed Jan 6 16:47:17 EST 2010
On 2010-01-06 00:56, Michael Stone wrote:
> On Tue, Jan 05, 2010 at 01:29:49PM -0800, Jamie Beverly wrote:
>> Yes, in fact brute-force ssh-scans do occur quite frequently. Granted,
>> they are not as frequent as dictionary scans. However, because even
>> "strong" passwords/phrases typically contain less than 40 bits of
>> entropy, the time it takes to brute-force even "strong"
>> passwords/phrases is finite, and even comparatively brief.
>
> So you don't rate limit attempts or cap failures? Interesting.
I'm curious, since you bring it up, what method do you prefer for rate
limiting failed password attempts and failed pubkey attempts? How well
does your method work on routers and other ssh-capable network devices?
Also, are you suggesting that Jamie's statement is untrue?
--
Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
More information about the openssh-unix-dev
mailing list