[ILUG] SSH dictionary attacks.

Colm MacCarthaigh colm at stdlib.net
Fri Aug 25 20:54:54 IST 2006 

On Fri, Aug 25, 2006 at 06:25:11PM +0100, Aine Douglas wrote:
> On 8/25/06, Badger <badger at scattermail.com> wrote:
> >I agree with what Colm Mac Carthaigh said in the alternate reply
> >to your post Aine, but I just wanted to drill down on some of the
> >other points:
> 
> What Colm said was that anyone could implement their own tool using
> the PKCS standards, break the standard and make it do something
> entirely different. 

No, thats not quite what I'm saying, You're missing the broader, more
profound, point. The security you are talking about with the ROS is
merely that you're only allowed use one tool which has its own password
policy enforcement. There is no inherent PKI or crypto magic going
on which actually enforces this.

The real point is that this wouldn't work with ssh, and the notion that
it possibly could can only be founded in ignorance. There are already
widely deployed SSH clients which will allow to use PEM, DSA, RSA, BLOB,
an agent daemon, and a range of other keystores.

Even if it an SSH client were implemented which enforced the password
HMAC scheme for PKCS12, there would be no beenfit, because one of the
other keystores could be used anyway. That's not implementing their
own tool, or "hacking", or it's using the default behaviour of the tool.

Another problem is that as SSH is a widely deployed standardised
protocol it wouldn't take very long before a version of the client was
available which ommitted this annoyance of a "feature" for users. Users
like being able to encrypt their keys with arbitrary passwords.

> I could re-write a webserver and make it a mailserver. 

I've done both, Apache httpd and bits of mod_smtpd. Guess I'm a hacker
;-)

> could rewrite a telnet tool and make it talk SSH.

Hmmm, helped do that too, I think I'm still in the credits file for
PuTTy. 

> You could turn a road into a canal if you build walls and add tanking. 

Now *that* sounds like a challenge, and I am moving to the Netherlands
on Monday.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list