[ale] any suggestions on an automated method for blocking repeated failed ssh login attempts?

[jim.kinney at gmail.com (Jim Kinney)]

On Thu, Dec 23, 2010 at 3:29 PM, Michael H. Warfield <mhw at wittsend.com>wrote:

>
>
> I know I'm doing my IPv6 talk next month for ALE.  Maybe I need to
> schedule my talk on "Securing the Secure Shell" some time in the next
> few months as well.  I gave that talk in front of AUUG a while back but
> I don't think I've delivered it at ALE before.
>
> I am all for hearing it! Aaron please contact MHW ASAP before he changes
his mind! :-)

At work, I'm prepping an ssh-key repository to ensure that all keys use a
good password. The repository will generate the ssh keys for the users and
archive the original, no password key in a vault (literal, steel vault with
key as text on paper with a barcode for fast input, placed there buy someone
with a firearms license at the federal level), then the user must enter a
password to encrypt the key. That encrypted key is then copied to their
thumb drive and the original unencrypted is hashed, wiped and the hash
stored. Their pub key is placed in the ldap server.The sshd is a modified
one that locates ssh pub keys from ldap. It is also configured to never
allow a password entry.

The complicated (and unwritten) stage is to devise a method that checks the
connecting users priv key for being still password locked once they log in.
If it's NOT locked, they are kicked out and the pub key is removed from
ldap. Not sure yet on how to do this.
-- 
-- 
James P. Kinney III
I would rather stumble along in freedom than walk effortlessly in chains.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20101223/1a0e5943/attachment-0001.html