ssh security

[Wolfgang S. Rupprecht]

> ... without the drawback of revealing account names.

I'm not sure there is much value in hiding account names.  This seems
to be one of these pieces of "security through obscurity" that been
passed down from one generation of computer user to the next and
nobody has re-examined it recently.

1) In this day and age there are many mailing list archives and search
   engines that will happily tell you tons of user names on the
   various machines.

2) Other servers on the same machine will often reveal account names
   if you ask them nicely (http, smtp, finger, ident).

3) Anyone that cares about real security can configure ssh to only
   allow RSA or DSA keys of 1k-bits length.  Knowing the account name
   isn't going to make it any easier for the attacker.  The
   brute-force work factor is going to go from a 10^280 times the life
   of the universe to 10^270.  Thats 10 with 270 zeros after it.  It
   just isn't a threat.

I think its time for software to stop pretending that account names
are a state secret and deal with the issue of a too small search space
of human-typed passwords by never allowing those short passwords on
the wire.  This is how the RSA and DSA method in ssh works now and it
is very effective at preventing breakins from brute force attacks.

-wolfgang
-- 
Wolfgang S. Rupprecht                http://www.wsrcc.com/wolfgang/
Direct SIP URL Dialing: http://www.wsrcc.com/wolfgang/phonedirectory.html