No system is flawless, but some of the techniques mentioned above can make a system reasonably formidable to potential attackers. Paul Sery created a wonderful PAM module (pluggable authentication module), for out-of-band challenge-response, called pam_obc. Da Beave improved pam_obc and made it available on GitHub (https://github.com/beave/pam_obc). Regarding bandwidth, system resources, etc., it depends on the specific organization's priorities as to what solutions they might implement at each "layer" of the security onion. PAM modules require a negligible amount of system resources, minimal bandwidth, and the challenges can be sent over encrypted channels. I am not saying that pam_obc will make an SSH server impervious to attacks, but for some people it may be part of the solution that they are looking for.
Regards
Slashdot Mirror
No system is flawless, but some of the techniques mentioned above can make a system reasonably formidable to potential attackers. Paul Sery created a wonderful PAM module (pluggable authentication module), for out-of-band challenge-response, called pam_obc. Da Beave improved pam_obc and made it available on GitHub (https://github.com/beave/pam_obc). Regarding bandwidth, system resources, etc., it depends on the specific organization's priorities as to what solutions they might implement at each "layer" of the security onion. PAM modules require a negligible amount of system resources, minimal bandwidth, and the challenges can be sent over encrypted channels. I am not saying that pam_obc will make an SSH server impervious to attacks, but for some people it may be part of the solution that they are looking for. Regards