making a home server

[MK27]

Two basic types of SSH keys are ones you type from the keyboard and the ones I think you are thinking of as "keyless" are the public/private keys set up so that if you issue a keyset to a remote user, they can log in simply by using their name b/c the computer is auto-supplying the stronger key. It is not meaning "leave your system wide open".

In ssh nomenclature, what you refer to as "keyless" are called keys, and they are clearly distinct from passwords. You cannot enter them on the keyboard. They are more than 1600 bytes. This is what I meant by "infeasible" by brute force. Isn't that 2^8^1600? Even if you made 4 attempts per second, I think this will take you more than a billion years...and you still won't be 1% done.

And since it is a "horseshoes and handgrenades" type game, brute force is the only option. Like I said, it was my understanding that this was the whole purpose of ssh and using it without them is akin to installing a laser perimeter alarm -- then never plugging it in.

This is probably why my man at NASA says no one has got in that way in 10 years (ie, the entire time). If brute force attacks are all you guys are worried about, I'm gonna say you're beyond paranoid -- you're totally insane

[jeffcobb]

In ssh nomenclature, what you refer to as "keyless" are called keys, and they are clearly distinct from passwords. You cannot enter them on the keyboard. They are more than 1600 bytes. This is what I meant by "infeasible" by brute force. Isn't that 2^8^1600? Even if you made 4 attempts per second, I think this will take you more than a billion years...and you still won't be 1% done.

And since it is a "horseshoes and handgrenades" type game, brute force is the only option. Like I said, it was my understanding that this was the whole purpose of ssh and using it without them is akin to installing a laser perimeter alarm -- then never plugging it in.

This is probably why my man at NASA says no one has got in that way in 10 years (ie, the entire time). If brute force attacks are all you guys are worried about, I'm gonna say you're beyond paranoid -- you're totally insane

True enough; and I was generalizing. For password-based authentication however it makes nothing I said any the less valid. There is the old joke about "being paranoid doesn't mean they are not out to get you" but when I look at my server logs and find attempts to get in through everything from ssh to MS services from China, et al I can honestly say they ARE out to get you. I/we may seem paranoid to you; you seem naive to me, that's for sure. I cannot speak to your friend at NASA but if security was as simple as you would have us believe, I would wager far fewer machines would be hacked and set up as part of zombie nets...the thing with the above-mentioned attack is that while brute force, due to the nature of the relaxed timing it often falls below the radar of the typical IDS and therefore can go on for years w/o detection. To me, the attack that you cannot even see coming, lame or not is one of the most dangerous kinds...

[MK27]

For password-based authentication however it makes nothing I said any the less valid. [...] the thing with the above-mentioned attack is that while brute force, due to the nature of the relaxed timing it often falls below the radar of the typical IDS and therefore can go on for years w/o detection. To me, the attack that you cannot even see coming, lame or not is one of the most dangerous kinds...

Yeah, but it sounds to me like this is just a product of pure ignorance, laziness, and or stupidity -- not using public/private keys. I'm not surprised at all that people get cracked that way. If you left your car parked downtown with the windows rolled down and the keys on the front seat, how many nights do you think would go by before there was a "startling security violation"?

Slow brute force attacks may be "insidious" and "undetectable", and maybe great if you are (patiently) phishing for access to someone's facebook page, but versus a 1600 byte key, who cares? They will still be plodding insidiously along when the sun burns out -- when the known universe collapses in upon itself. Etc.

Please. People. Use the keys.

[Kennedy]

you're totally insane

Dude, don't lump the paranoid into my group (insanity doesn't run in my family -- it gallops), I'm not paranoid at all.



::what was that::

[jeffcobb]

-- you're totally insane

Well I initially had that reaction to your coding style but had the tact to keep it to myself. I take the "having a sense of security is insane" and file it in the stupid folder myself. To use your unlocked car analogy, I see my level of security as locking the car door and not leaving the laptop/iPhone in plain view. The unlocked car with the windows rolled down are those exposing completely unprotected services -- now *that* I consider insane...

[MK27]

Well I initially had that reaction to your coding style but had the tact to keep it to myself.

Sigh. Not every appreciates free thinkin'. You should see what's in the pipe.