Re: "too many auth failures"?

To: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Subject: Re: "too many auth failures"?
From: Nicolas Williams <Nicolas.Williams%oracle.com@localhost>
Date: Wed, 27 Oct 2010 23:00:04 -0500

On Thu, Oct 28, 2010 at 01:46:12PM +1300, Peter Gutmann wrote:
> [Combining several replies to save space]
> 
> Simon Josefsson <simon%josefsson.org@localhost> writes:
> 
> >Also, you could refuse to enter a PIN to get the key skipped...  You could
> >specify what key to use...  You could specify to not use any keys. You could
> >use an agent that gets the PIN.

I wrote that, not Simon :)

> You forgot the one that actually happens, based on extensive real-life
> experience with S/MIME and SSL:
> 
> - The user bypasses the annoying security mechanisms in order to get on with
>   their job and avoid all the crap that their (from their perspective) broken
>   software is throwing at them.

How would they do that from the client side?

Anyways, I suspect that SSH keys are rarely stored on smartcards, so
this isn't a big problem _yet_.  I agree that it will be, ...

...but the most reasonable solution is to hand the smartcard and PIN to
an ssh-agent.  If the user's not willing even to type a PIN _once_, then
smartcards won't succeed.

Nico
--

References:
- Re: "too many auth failures"?
  - From: Nicolas Williams
- Re: "too many auth failures"?
  - From: Peter Gutmann

Prev by Date: Re: "too many auth failures"?
Next by Date: Re: "too many auth failures"?
Previous by Thread: Re: "too many auth failures"?
Next by Thread: Re: "too many auth failures"?
Indexes:

Home | Main Index | Thread Index | Old Index