> ... without the drawback of revealing account names. I'm not sure there is much value in hiding account names. This seems to be one of these pieces of "security through obscurity" that been passed down from one generation of computer user to the next and nobody has re-examined it recently. 1) In this day and age there are many mailing list archives and search engines that will happily tell you tons of user names on the various machines. 2) Other servers on the same machine will often reveal account names if you ask them nicely (http, smtp, finger, ident). 3) Anyone that cares about real security can configure ssh to only allow RSA or DSA keys of 1k-bits length. Knowing the account name isn't going to make it any easier for the attacker. The brute-force work factor is going to go from a 10^280 times the life of the universe to 10^270. Thats 10 with 270 zeros after it. It just isn't a threat. I think its time for software to stop pretending that account names are a state secret and deal with the issue of a too small search space of human-typed passwords by never allowing those short passwords on the wire. This is how the RSA and DSA method in ssh works now and it is very effective at preventing breakins from brute force attacks. -wolfgang -- Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/ Direct SIP URL Dialing: http://www.wsrcc.com/wolfgang/phonedirectory.html
