If you guys are interested I have a list of login/password combos they use:
http://vapid.dhs.org/ssh-attack-passwd.txt > On 6/17/2010 3:21 PM, Paul Schmehl wrote: >> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI <[email protected]> >> wrote: >>> >>> Of course it's wise to disable password authentication and just use >>> public key authentication. >> >> Why? Ssh is encrypted, so you're not exposing a password when you >> login. How >> does public key authentication make you more secure (in a practical >> sense)? > > In the case of SSH password auth you are handing the plaintext password > directly to any server you log in to. For many of us, this is basically > any time we're expecting to contact that server for the first time from > that client machine. For users who are willing to bypass a server key > mismatch warning, they may be giving away their password every time. > > I know there's somebody out there who always verifies server > fingerprints through an independent trusted channel before accepting > them. I would like to meet this person. > > Often the same password is used on multiple systems (e.g. > kerberos/active directory). > > However, if the client is configured to only use public key auth, > accidentally connecting to a malicious server does not automatically > give the bad guy your plaintext password. > > - Marsh > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
