Cristian Ionescu-Idbohrn wrote:
On Thu, 14 Apr 2016, Jakub Jelen wrote:
On 04/14/2016 01:19 PM, Cristian Ionescu-Idbohrn wrote:
[..]
Yes, I know about MaxAuthTries and I used it as a workaround. Still,
I would imagine the remote server knows there's no point refusing the
slient offered keys one after the other, as none will work. Why then
not telling the client there's no point trying, use password instead?
The server knows that there is no point in trying, but the (possibly
malicious) client does not know that. And server is trying to tell
the client the least possible amount of information (basic rule of
security).
Right. Still, how much more damage could a malicious client do if it
ware presented with a password prompt? Is it worth annoying the
non-malicious clients or push the admin into ticking up MaxAuthTries?
Same argument could be applied to why I bother to present a password
prompt if all the server
accepts only public keys. By not doing it, I reduce the possible attack
service a hacker has to
break into my server. Knowing that keys aren't except for the server
or for an individual user
it leaks information that an attacker can use against me. This is the
same reason why a few
years ago we went through painful effort to stop ssh from short-cutting
out of bad authentications
attempts. Because it leaked a bit of information an attacker could
detect to shift their attack
method.
*shrug* My solution to this "issue" was to stop generating keys with
standard id_{rsa,dsa,etc}
names. And use something more useful "id_rsa_work" "id_rsa_play" ..
etc.. Then
I specify via ~/.ssh/config which key is to be served to a server. As
I honestly never
liked the "throw ssh keys at the server and see which one sticks"
feature of the SSH RFC.
It feels like a lazy way of key administration.
It was great when you are learning, but sucks when you start collecting
dozens of
ssh keys for different community, work, personal, and friend's servers.
All of them
being completely different so you can keep good isolation habits (e.g.
If I leave a
community I want to do rm -rf .ssh/id_rsa_communityname* and know for a
fact
that I no longer have the key and it improves my confidence that I'm not
going
to lose it, and thus causing a possible compromise if the community doesn't
do their own due diligence on removing my account or key).
The above also linked with ssh-agent and locking/unlocking ssh keys has
how I've
lived for 10+ years now, and have never ran into this problem.
Honestly, it is better to learn to manage your SSH keys properly.
- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
