True enough; and I was generalizing. For password-based authentication however it makes nothing I said any the less valid. There is the old joke about "being paranoid doesn't mean they are not out to get you" but when I look at my server logs and find attempts to get in through everything from ssh to MS services from China, et al I can honestly say they ARE out to get you. I/we may seem paranoid to you; you seem naive to me, that's for sure. I cannot speak to your friend at NASA but if security was as simple as you would have us believe, I would wager far fewer machines would be hacked and set up as part of zombie nets...the thing with the above-mentioned attack is that while brute force, due to the nature of the relaxed timing it often falls below the radar of the typical IDS and therefore can go on for years w/o detection. To me, the attack that you cannot even see coming, lame or not is one of the most dangerous kinds...Originally Posted by MK27
In ssh nomenclature, what you refer to as "keyless" are called keys, and they are clearly distinct from passwords. You cannot enter them on the keyboard. They are more than 1600 bytes. This is what I meant by "infeasible" by brute force. Isn't that 2^8^1600? Even if you made 4 attempts per second, I think this will take you more than a billion years...and you still won't be 1% done.
And since it is a "horseshoes and handgrenades" type game, brute force is the only option. Like I said, it was my understanding that this was the whole purpose of ssh and using it without them is akin to installing a laser perimeter alarm -- then never plugging it in.
This is probably why my man at NASA says no one has got in that way in 10 years (ie, the entire time). If brute force attacks are all you guys are worried about, I'm gonna say you're beyond paranoid -- you're totally insane
