On Wednesday 14 May 2008, Niall O Broin wrote:
> And just to add some fun - a tool is available at http://
> security.debian.org/project/extra/dowkd/dowkd.pl.gz to check some
> passwords. This tool fails on Ubuntu dapper (which is not a
> vulnerable distribution, but I was testing a bunch of keys on a
> dapper box) when called with the user option. This SHOULD loop
> through all users, but instead it repeatedly checks root.
>>> Niall
debian/ubuntu have now packaged up a nicer "ssh-vulnkeys" tool that
will check the keys, though of course it can only check
known-bad ones. Their openssh packages now depend on it, and can use it
to autocheck.
I've been paranoid enough* to impose basic ssh connection rate limiting
(i.e. < n connections per min per ip) for quite a while, due to
rampant password-type brute forcing attempts. But... how many
different public keys does an ssh server allow a client to try
on one opened connection?
* Apparently not paranoid enough to audit package sources or even just
distro changes from the likes of Debian though... :-(
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
