OpenSSH daemon security bug?
Michael Stone
mstone at mathom.us
Thu Jan 7 00:00:21 EST 2010
On Wed, Jan 06, 2010 at 05:47:17AM +0000, Jefferson Ogata wrote:
> I'm curious, since you bring it up, what method do you prefer for rate
> limiting failed password attempts and failed pubkey attempts? How well
> does your method work on routers and other ssh-capable network devices?
Small installations can get by with firewall rules, and there are some
pam modules and other techniques to do rate limiting and add exponential
lockouts for accounts. People who actually need to worry about an
attacker trying to really brute-force passwords (not dictionary attacks)
probably should be using a real two factor mechanism and for those
people this entire discussion is moot. (Gets back to "understand your
threats".)
> Also, are you suggesting that Jamie's statement is untrue?
I won't challenge anyone else's experience, but I will say that I have
not seen attackers trying to exhaustively brute-force passwords via ssh.
Against a shadow file, sure, but the math on doing that over the network
even with the default configuration that forces a new connection (and
handshake overhead) after a few failures isn't pretty. You can make the
math more favorable by doing it in a distributed fashion, and hitting a
bunch of targets if they're using centralized auth, but in that case why
wouldn't the centralized auth disable the account after, say, 1000
failures? At any rate, as above, if you're enough of a high-profile
target that this is a serious risk to you, you should be using
multifactor auth.
Mike Stone
More information about the openssh-unix-dev
mailing list