Date: Thu, 3 Dec 2015 08:22:55 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: best practice for locking down private jail? Message-ID: <565FFBDF.40907@FreeBSD.org> In-Reply-To: <20151203083926.72ad74db.freebsd@edvax.de> References: <CACcSE1yQO8AjW9rpY%2Bd2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com> <20151203083926.72ad74db.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 03/12/2015 07:39, Polytropon wrote: > Oh, and regarding SSH with keys: You can force keys _and_ a > password. Educate the user what a secure password is, and make > him understand "password hygiene". So even if someone is able > to get his SSH keys, the attacker cannot get access without the > password (which is to be provided interactively, not stored in > plain text in some configuration or history file, of course). Keys *and* a password doesn't offer any additional security over just keys alone. Of course, your keys for interactive use should be secured with a passphrase -- this is used to encrypt and decrypt the private key using a symmetric cipher, so that even if an attacker is able to steal the private key, it is unfeasible for them to be able to decrypt it. That passphrase is prompted for during the ssh login very similarly to the way a password is prompted for[*]. As far as I know, there is no way server side to enforce the use of a key that has been protected with a passphrase, and there are good and legitimate reasons to want to use passphrase-less keys for various purpos= es. One thing I'd certainly recommend is tightening up the SSH configuration to ensure you're using the best available crypto. There are, for instance, known problems with dss keys used with moduli of 1024 bits or less. See -- https://weakdh.org/ Here's a very thorough guide to locking down SSH. It's probably overkill for most users though: https://stribika.github.io/2015/01/04/secure-secure-shell.html Cheers, Matthew [*] Although personally I use an ssh agent -- gpg-agent from gnupg2 -- so I only get prompted for the passphrase occasionally. Which is a real sanity saver considering how frequently I'm logging into various different machines. --VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQJ8BAEBCgBmBQJWX/vfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATAoIQAI+OkXwLnArSZCJPV4BjFhFs xn4J8xWjuifLH6UQGyiLUBv/IDmjgOS4rRA6OsV2hcLw0BWDDjElDTzmuHkxmlt4 +K2D4oK1j/1/fHNosxnMRKZDXJ6K5RmtSRSSgF7Tr0xWw9LUH6Bw5kscfWNxQaRd w7Sc5oN7rABtIWJvS8YWq/QRTnmcw3OCVpzDIPQIc/nLrdQN4w/b+RjNPuiowICB Jh49oKR4l1xTZARiZGfvrxtkKK5U5PnXnkFSsprlBNXxGwTEakc/LLHtETLEAePk Iq3acB5BSZn9bgMsj+uyU5jrBlDCnlj8525WyJK+XyNKspIs0+wA22xzD6SIhnTp glIo+K3S6/yNpX6FRfzWTX8HRSQB74QEivmI1e/76oVw6+gWD9vdHvdAO1kpLZvb gavGOqfg/0j2dYAfcNu3Xxg6gTF+4MBS9MqnTTgvDE8JEFNUyBJGAuIxLoYUPQf/ cYkHYKR0Smwea+OLN80TL0p0tF2fIEQN+ufSkIa/eQnCmZnG3xLsHtjTwhFuzZCI QjIatXTzFd/E4Ut4gbBSUTnY2XV0IO223AdL6INq61hAZfUYeuivL4h5IQTXzNJb lc6fIXaUWKP2NWwCIO12fyc6HCdK3Nm6adTslmNcnVueUIThWChB5li4icVCqORa u8/JdrOUrStkkC8/kzgH =Gi4+ -----END PGP SIGNATURE----- --VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?565FFBDF.40907>