Re: (rfc) too many keys, usecase?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, 14 Apr 2016, Ben Lindstrom wrote:
> Cristian Ionescu-Idbohrn wrote:
> >
> > Right.  Still, how much more damage could a malicious client do if
> > it ware presented with a password prompt?  Is it worth annoying
> > the non-malicious clients or push the admin into ticking up
> > MaxAuthTries?

...

> This is the same reason why a few years ago we went
> through painful effort to stop ssh from short-cutting out of bad
> authentications attempts.  Because it leaked a bit of information an
> attacker could detect to shift their attack method.

...

> Then I specify via ~/.ssh/config which key is to be served to a
> server.  As I honestly never liked the "throw ssh keys at the server
> and see which one sticks" feature of the SSH RFC.
> It feels like a lazy way of key administration.
>
> It was great when you are learning, but sucks when you start
> collecting dozens of ssh keys for different community, work,
> personal, and friend's servers.  All of them being completely
> different so you can keep good isolation habits (e.g. If I leave a
> community I want to do rm -rf .ssh/id_rsa_communityname* and know
> for a fact that I no longer have the key and it improves my
> confidence that I'm not going to lose it, and thus causing a
> possible compromise if the community doesn't do their own due
> diligence on removing my account or key).

Now, that sounds like a good idea.  I'll do that, I think.  Serve
selected key(s) to selected servers, throuh ~/.ssh/config, using the
IdentityFile option.  A little more administration, but not heavy at
all.  Thanks.


Cheers,

-- 
Cristian
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux