Too many public keys
phil.pennock at globnix.org
Sat Apr 6 04:57:18 EST 2013
On 2013-04-05 at 10:56 +0200, Aris Adamantiadis wrote:
> If you have too many public keys, you can use a config file to
> specifically set an identity file to use with an host. I don't see what
> problems you try to resolve, when in the opposite this limitation of
> public key numbers tries per connection has actually been useful during
> the Debian Openssl fiasco.
> While I agree that there's no point counting failed gssapi attempts as
> these cannot really be bruteforced.
Throwing out a random crazy idea for consideration:
How about cap per keytype, then? If I'm trying to brute-force DSA,
trying an RSA key shouldn't count against that limit.
I suspect that a reasonable limit is 3 per key-type. Folks normally
have one per type loaded, they might try a second because they
forgot/didn't-know-about IdentitiesOnly, and one more allows for
weirdness, like "I added keys from a second host for an emergency, then
ran a tool which doesn't specify IdentitiesOnly".
Does this seem reasonable?
More information about the openssh-unix-dev