Too many public keys
Aris Adamantiadis
aris at 0xbadc0de.be
Sat Apr 6 07:54:27 EST 2013
Le 5/04/13 19:57, Phil Pennock a écrit :
> How about cap per keytype, then? If I'm trying to brute-force DSA,
> trying an RSA key shouldn't count against that limit.
>
> I suspect that a reasonable limit is 3 per key-type. Folks normally
> have one per type loaded, they might try a second because they
> forgot/didn't-know-about IdentitiesOnly, and one more allows for
> weirdness, like "I added keys from a second host for an emergency, then
> ran a tool which doesn't specify IdentitiesOnly".
>
Hi Phil,
sorry but this doesn't make a lot of sense to me. Imho if you have more
than 3 keys, they're probably of the same type (if you swear by DSA
you're unlikely to have rsa keys) and you would run in the same problems
again.
Configuring your ssh client to use the appropriate key the first time
isn't harder than typing the good password the first time, and the limit
should instead show him that there's a problem.
Also there's a performance penalty because each pubkey try consumes one
RTT, this can be very significant if you have more than 3 keys on slow
links (3G). You cannot change this without making openssh incompatible
with the specifications or without an ugly hack.
Aris
More information about the openssh-unix-dev
mailing list