Intrusion Update
Damian Myerscough
damian.myerscough at gmail.com
Mon Mar 30 15:52:24 UTC 2009
I have just done some research on SSH and S/Key and I read that S/Key
cannot withstand a brute forced attack [1]
[1] http://www.gentoo-wiki.info/OpenSSH_skey
Mike McGrath wrote:
> On Mon, 30 Mar 2009, Damian Myerscough wrote:
>
>> Hello,
>>
>> What about the use of S/Key (one-time passwords) I think it is possible to
>> deploy SSH with S/Key authentication. I haven't look into it that much but it
>> could be a possible solution?
>>
>
> If someone had my username, password, and ssh key. How would that prevent
> them from getting a otp?
>
> -Mike
>
>> susmit shannigrahi wrote:
>>>> So I'm not quite sure how to 'fix' this problem. By that I mean, even if
>>>> we knew this attack was going to happen I'm not totally sure of a feasible
>>>> solution, using only free software, that we could have used to fix it.
>>>> Obviously a physical rsa key or the like would have worked but I don't
>>>> think we have the manpower nor budget to implement such a system. So I
>>>> ask the list, any ideas?
>>> A single use random code/passwd mailed/texted each time one tries to
>>> login and invalidated just after use??
>>>
>>> Basically I am referring to RFC 2289[1]
>>>
>>> [1]http://www.ietf.org/rfc/rfc2289.txt
>>>
>>> Thanks.
>>>
>> --
>> Regards,
>> Damian Myerscough
>>
>> _______________________________________________
>> Fedora-infrastructure-list mailing list
>> Fedora-infrastructure-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
>>
>
--
Regards,
Damian Myerscough
More information about the Fedora-infrastructure-list
mailing list