http://www.extrapepperoni.com/2007/03/15/locking-ssh-access-to-solaris-accounts/ Chris Pepper on whatever (the non-Julia blog) Fri, 29 Aug 2008 06:40:21 +0000 http://wordpress.org/?v=2.6 http://www.extrapepperoni.com/2007/03/15/locking-ssh-access-to-solaris-accounts/#comment-36 Extra Pepperoni » Take Control of SSH, Draft Excerpt: Public Key Authentication Sun, 25 Mar 2007 01:16:17 +0000 http://www.extrapepperoni.com/2007/03/15/locking-ssh-access-to-solaris-accounts/#comment-36 <p>[...] UNIX passwords present several problems for administrators. What legitimate users can remember and type (generally considered to be 8 letters and numbers) is a small enough range of possibilities for attackers to try all possibilities. “Account lockout” is a feature of some systems (including Mac OS X Server) to disable accounts after several failed guesses — which often identifies an attack. Unfortunately, this means legitimate users get blocked when their accounts are attacked, and locking legitimate users out of their own accounts is a successful attack (although not as serious as gaining illicit access). System administrators would often prefer to avoid this by not allowing password access at all. On Mac OS X, it’s difficult to set up an account without a password; it’s easier to create a long random password (12+ characters — Keychain Access can do this for you), and never write it down or give it to the account user, requiring public key authentication or some other high security authentication (such as smart cards) instead. On other systems, it’s easy to simply not set UNIX passwords for accounts (although there are complications). [...]</p> [...] UNIX passwords present several problems for administrators. What legitimate users can remember and type (generally considered to be 8 letters and numbers) is a small enough range of possibilities for attackers to try all possibilities. “Account lockout” is a feature of some systems (including Mac OS X Server) to disable accounts after several failed guesses — which often identifies an attack. Unfortunately, this means legitimate users get blocked when their accounts are attacked, and locking legitimate users out of their own accounts is a successful attack (although not as serious as gaining illicit access). System administrators would often prefer to avoid this by not allowing password access at all. On Mac OS X, it’s difficult to set up an account without a password; it’s easier to create a long random password (12+ characters — Keychain Access can do this for you), and never write it down or give it to the account user, requiring public key authentication or some other high security authentication (such as smart cards) instead. On other systems, it’s easy to simply not set UNIX passwords for accounts (although there are complications). [...]

]]>