From owner-freebsd-questions@FreeBSD.ORG Wed Jun 24 15:13:02 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C28A1065673 for ; Wed, 24 Jun 2009 15:13:02 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 72D178FC2C for ; Wed, 24 Jun 2009 15:13:01 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from phenom.cordula.ws (phenom [192.168.254.60]) by fw.farid-hajji.net (Postfix) with ESMTP id 4C7E6356DE; Wed, 24 Jun 2009 17:12:59 +0200 (CEST) Date: Wed, 24 Jun 2009 17:12:59 +0200 From: cpghost To: Erik Norgaard Message-ID: <20090624151259.GA2367@phenom.cordula.ws> References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> <20090624140221.GA1974@phenom.cordula.ws> <4A423D19.4050602@locolomo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A423D19.4050602@locolomo.org> User-Agent: Mutt/1.5.19 (2009-01-05) Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 15:13:02 -0000 On Wed, Jun 24, 2009 at 04:50:01PM +0200, Erik Norgaard wrote: > cpghost wrote: > > On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > > But port knocking can be useful and provide more security *if* you > > modify the kocking sequence algorithmically and make it, e.g. a > > function of time, source IP/range (and other factors). This could > > prevent a whole class of replay-attacks. > > > > Of course, you can modify the keys/passwords algorithmically and > > make them a function of time, source IP etc. as well... ;-) > > I don't think it's worth wasting time trying to repair a conceptually > bad idea, in particular when there are so many alternatives. > > Whichever way you turn around this idea, it boils down to a shared > secret. The security of a shared secret is inversely proportional to the > people knowing it, while the trouble of changing it is proportional to > the number knowing it. > > You've already got individual passwords in place. If your knock > sequence/shared secret is randomly chosen of say 1 million (any number > will do for the example) won't you get better security increasing the > entropy of the individual passwords equivalently? Agreed. > > And while we're at it: how about real OPIE? Or combining SSH keys, > > OPIE, and port knocking? > > What is the easier solution: implement port knocking or doubling the > length of your ssh keys? It all boils down to this: do you login from a secure machine or not? Each tool has its own set of uses. When I want to log in from a public terminal, I prefer OPIE; when I log in from home, I prefer SSH keys. Port knocking is an interesting technique, but as you pointed out, its only useful on machines with very few accounts. > Each of the technologies you mention can be tuned for higher security > using longer passwords, checking entropy when people choose a new > password, more ports in the range of your combination, more knocks etc. > > I don't get why you wish to combine different technologies rather than > tune the well tested and tried already implemented out of the box > methods for higher security. I totally agree. > BR, Erik > > -- > Erik N?rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org -cpghost. -- Cordula's Web. http://www.cordula.ws/