On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl <pschmehl_li...@tx.rr.com> wrote: > --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <delp...@gmail.com> > wrote: > >> On FreeBSD you can probably just use the following pf.conf line to >> block most of such attacks: >> >> block in quick proto tcp from any os "Linux" to any port ssh >> >> (Note that with this you may lose the ability to login from any Linux >> based box including from an Android phone, etc) >> >> Of course it's wise to disable password authentication and just use >> public key authentication. > > Why? Ssh is encrypted, so you're not exposing a password when you login. > How does public key authentication make you more secure (in a practical > sense)?
Well, I usually avoid the term "more secure" since it really depends on the real usage and scenario. The benefits of using public key authentication are: - A typical 2048 bit key pair offered much more entropy than password average people can comfortably remember, making it practically impossible to brute force crack. - It does not transfer any credential information that can be used if being cracked. i.e. the authentication process is some kind of zero-knowledge proof, say, "I have the key but you won't see it" rather than "I have the password and here it is" (*). Password authentications are usually just plain text over an encrypted channel. Downsides are mostly at the human side, e.g.: - Survey says that many people won't encrypt their private key and protect it properly, nor treat forward agents in a secure manner; - It's not quite convenient if one don't have immediate access to their private key, i.e. a system administrator traveling without his laptop but arguably, this case should never happen since using passwords on untrusted system is much more dangerous. (*) This can of course be improved, though but I am not aware of any alternative that does not impose more restrictions. Cheers, -- Xin LI <delp...@delphij.net> http://www.delphij.net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/