On 1/30/2014 11:29 PM, Raffaele Morelli wrote:
2014-01-30 Brian <a...@cityscape.co.uk <mailto:a...@cityscape.co.uk>>:
On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote:
> On Tue, 28 Jan 2014 18:42:34 +0000
> Brian <a...@cityscape.co.uk <mailto:a...@cityscape.co.uk>> wrote:
>
> > The AllowUsers directive is a legitimate way to restrict ssh
logins to
> > certain users. However, I do not see what (ssh keys + AllowUsers)
> > brings to the party that (password + AllowUsers) doesn't.
>
> A key (if kept secret) is even harder to "guess" than a
> password,
I'd like to see a complex, random, high-entropy 20 character password
which is guessable (or capable of being cracked) in a timeframe which
has some significance. I'll give you "even harder" but it is of no great
consequence if you consider the situation where an online subversion of
a user's account is being attempted and a good password is in place.
I'd like to see someone who use such 20 character password for everyday
tasks.
I have to agree with you here, Raffaele. While it's nice to talk about
users and 20 character random keys, the fact of the matter is, they
aren't used by the vast majority of users. In many cases, even those
who *should* know better don't do it.
Sure, you could require a 20 character random key on your site - but you
won't get many people to sign up. Rather than try to remember such a
password, most people will just move on.
<snip>
Passwords are guessable and brute force are here to stay. But can you
show me how to simulate the presence of a key on a client side?
Yes, brute-force attacks are how most externally-generated breaches
occur. I see multiple attacks daily in my server logs.
Jerry
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/52ebb86a.9050...@attglobal.net
