On 11/21/05, Wolfgang S. Rupprecht > > Yup. Setting up real public-key authentication is several hundred > orders of magnitude stronger against guessing attacks than changing > the ssh portnumbers or adding bad hosts into some IP level filter > table and hoping the attackers won't guess a good password before they > run out of IP addresses to test from. > > (And yes, I did really mean hundreds of orders of magnitude. An > attacker has 1 chance in 10**308 of guessing the 1024-bit public key > on each try if they follow the same brute-force attack. Given a > billion tests per second and the whole age of universe up to this > time, we are still only talking a 1 in 10**281 chance.) > Even harder, if there's a password on that key. The other part of this discussion, I thought, was the DoS-ability of these ssh attacks. That is, do these ssh attacks prevent legitmate users from accessing regardless of the authentication mechanism configured for sshd? -- Jiann-Ming Su "I have to decide between two equally frightening options. If I wanted to do that, I'd vote." --Duckman "The system's broke, Hank. The election baby has peed in the bath water. You got to throw 'em both out." --Dale Gribble
