Re: "too many auth failures"?

To: ietf-ssh%netbsd.org@localhost
Subject: Re: "too many auth failures"?
From: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Wed, 27 Oct 2010 10:15:12 -0400 (EDT)

>> My view is that servers should have two failure counters: one for
>> password and keyboard-interactive, another one for all others.
> Yeah, I'd thought about that too, but where do you stop?  Which
> counter type would a ZKP use?  Or EKE?  Or IBE?

The "all others".

Think about the point of those failure counters: they're designed to
slow down password-guessing attacks.  publickey, ZKP, etc, don't have
anything like password-guessing risks, so it's arguably inappropriate
to do failure counters for them.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: "too many auth failures"?
  - From: Nicolas Williams

References:
- Re: "too many auth failures"?
  - From: Peter Gutmann

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index