On Mon, 21 Jun 2010 10:04:59 -0400 Ted Roche <tedro...@gmail.com> wrote:
> On Mon, Jun 21, 2010 at 9:28 AM, Benjamin Scott <dragonh...@gmail.com> wrote: > > > > Apparently attackers are going after "keyboard interactive" > > authentication, which is separate from "password authentication". > > > > So, even if I have set PasswordAuthentication no in my sshd_config, > there's still a way to ssh into the server without a key pair? That's > confusing. > > Time to break out the dog-eared snail book and get a refresh... I had to do the same. "Challenge/Response" ?? "S/Key" ???? From Barret & Silverman, "SSH...The Definitive Guide", 1st ed., p 175: "S/Key is a one-time password system, created by Bellcore [...] 'One-time' means that each time you authenticate, you provide a different password" ... The remote sshd service provides you with an integer and a string, which you enter into a magic calculator on your local machine, along with a secret passphrase [never transmitted], and the "calculator" produces your one-time password. My reading is that Yes, there's a way to ssh in without a key pair; but No, the bad guys don't get in that way (unless the one-time key framework was very poorly set up somehow); and What You Care About is that a machine which OFFERS the S/Key method will get lots of attention from the world of botnets. START WITH NEVER EXPOSING SSHD ON PORT 22. -Bill who just went and looked, and found one of his servers with S/Key still defaulted (on), but with not a peep in the logs because of not being on port 22. _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/