Mailinglist Archive: opensuse (1570 mails)

< Previous Next >
Re: [opensuse] Coordinated, distributed ssh attacks?
On Sun, 2009-10-04 at 10:55 +0200, Per Jessen wrote:
Hans Witvliet wrote:

Just block passwords all together, it doesn't claim any resources at
your side (In contrast of scrutinysing that number of addresses), and
don't have to analyse your logfiles for ssh-attacks, as there wont be
any anymore.

Hans, I'm curious - I've always liked this solution, but how do you
manage all the keys? AFAICT, each server needs to know about (have the
key for) each possible client, right?



Yes,

Uptill next release of openssh, there are two mechanisms
1) On the destination-machine you need in the file
~/.ssh/authorized_keys all the public keys for that particular user
If that users has different key-pairs on different machines, you'll see
here multiple public keys.

2) keypairs can also be tied to a specific noninteractive
(remote-)application, Like rsync.

Generating the keys can be done also in two ways, either on the computer
itself, or on a security device.
If they are created localy, one can still afterwards store them on a
smardcard, and protect the private key with a pin-code.

Next version of openssh (openssh-5.2) has an huge step forward (i hope
it is 11.2, with this option activated during compilation). openssh is
then also capable to extract the public key from an PKI-certificate.
If you have PKI-certificates from thawte, verisign, cacert, gouvernement
(and so on), you will be able to use these. This was already available
in the commercial version of ssh, from now-on also in openssh.

Hans
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >