[95204] in cryptography@c2.net mail archive
Re: improving ssh
daemon@ATHENA.MIT.EDU (Ed Gerck)
Thu Jul 19 09:31:10 2007
Date: Mon, 16 Jul 2007 20:41:44 -0700
From: Ed Gerck <edgerck@nma.com>
To: Cryptography <cryptography@metzdowd.com>
In-Reply-To: <B24106AB-49DF-4AC1-ADBD-809301C96F75@solarsail.hcs.harvard.edu>
Ivan Krstić wrote:
> On Jul 14, 2007, at 2:43 PM, Ed Gerck wrote:
>> 1. firewall port-knocking to block scanning and attacks
>> 2. firewall logging and IP disabling for repeated attacks (prevent DoS,
>> block dictionary attacks)
>> 3. pre- and post-filtering to prevent SSH from advertising itself and
>> server OS
>> 4. block empty authentication requests
>> 5. block sending host key fingerprint for invalid or no username
>> 6. drop SSH reply (send no response) for invalid or no username
>
> None of these are crypto issues.
Perhaps not the way they are solved today (see above), and that IS
the problem. For example, the lack of good crypto solutions to protocol
bootstrap contributes significantly to security holes 1-7.
Cheers,
Ed Gerck
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
