Date: Tue, 30 Jan 2024 14:06:51 +0900 From: "lain." <lain@fair.moe> To: questions@freebsd.org Subject: Re: Re: Enabling SSHD Message-ID: <6eaugbyc7ajemwqbrodp4tu73uhjrkfbdmdaavvgjssnzopx6i@4ocegiuwuca3> In-Reply-To: <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan> References: <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan> <CPja5CJLsYzkPuo_qd5lnJuUj6lBBCW2uHo3NcbFubhGSKa2gNEu0ETvjZSAwI_-rQFuVvUJR2s10xbz40uL17k1lpLSCiz8azHd77S9LK8=@proton.me> <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me> <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
--a6upnnm5qpel2qu6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024=E5=B9=B401=E6=9C=8829=E6=97=A5 08:47, the silly Paul M Foster claim= ed to have said: > I certainly hope this is not the case. I've been running Linux for 30 > years, and am looking to transition to FreeBSD. If passwords are prohibit= ed > for SSH access, that would be a major reason for me not to pursue FreeBSD > any further. FWIW, I disagree with the current fad of believing that > passwords should be eliminated for everything. I believe passwords, > properly implemented, are more than adequate for normal security. If you'= re > trying to secure NSA servers or something, by all means eliminate > passwords in favor of hardware keys or the like. >=20 > In any case, this doesn't provide any actual methods for resolving the > current problem. >=20 > Paul PGP keys are generally safer than passwords in the case of SSH. If you have password-based authentication enabled, you'll get a password prompt, which could be exploited if your password is known, or somebody guessed it. If you disable that and have key-based authentication instead, you can only login from a machine that has the public and private keys available, so if the NSA or some other criminal organization would try to break in, they'll be greeted with a "permission denied". If you're super paranoid, you can configure pf to only allow connections to port 22 from specific hosts only on top of that. I personally use 64 character long, randomly generated passwords with lowercase, uppercase, digits, and special characters for each login, but way too many people don't. And unlike the well known 2FA stupidity, PGP keys can be generated and configured on the remote server in just a few seconds. By the way, if you use Git, you probably already have a PGP key. However, if that Git server happens to be Microsoft Github or some Gitea/Gitlab/Forgejo instance hosted behind Cloudflare or Fastly, better generate separate PGP keys for each one of them, so you can easily revoke access to bad actors while maintaining access to your own servers. --=20 lain. Did you know that? 90% of all emails sent on a daily basis are being sent in plain text, and i= t's super easy to intercept emails as they flow over the internet? Never send passwords, tokens, personal information, or other volunerable in= formation without proper PGP encryption! If you're writing your emails unencrypted, please consider sending PGP encr= ypted emails for security reasons. You can find my PGP public key at: https://fair.moe/lain.asc Every good email client is able to send encrypted emails. If yours can't, then you should consider switching to a secure email client= , because yours just sucks. My recommendations are Claws Mail or NeoMutt. For instructions on how to encrypt your emails: https://unixsheikh.com/tutorials/gnupg-tutorial.html --a6upnnm5qpel2qu6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEozVhUpXECiNYIKIXtWNzC1Y29b0FAmW4g+EACgkQtWNzC1Y2 9b0RGgv/bmQ1XV8DINGCGGh2nDg0zGC3HrX3JvdBV0IOlnlpzhMzZ3Cml+Et6v9A qqSkOlP3uwffKYO1rFmsVuGV59yTjJ+vRYgWuzGqUrcLNk/Yk58noP7z3rqSBgKY L/tfCQkd0gDMEjzIdqXX9yzWilCs3o+mpn3k5+mG2T0rGhmKlXVT8x9AEFBSxvwp bk4A4wBxqNTUzW84ZlEQI7f40JKbrRBVQDqSJr7Y3NwHax1nbnFQhgf1cMNatSF1 Kc0IfqR/5frEG85cUMLyQ7yHcKTcFHQhBwIjY1z/IfYNWjcRVcd2RK+BNRlCL9Of VigqvD+RoSVuoCjKZ2fZRn+ipbKkNMBISRiHb4ojftvtzPHoDOfseWF8pU4e90Oh 7QHTsIEBz2mskeRoP0Av04gWlM4BVKlhN93NTxStVswbPsC9+B/kbUF1b7s8XOhx VDumPSc31g4D9vEFwpt2adnQcJdWmnZqo0lNGg8olApdwFpjRj3AkFRAQ37q2qTA ntdWYmSx =Sx2p -----END PGP SIGNATURE----- --a6upnnm5qpel2qu6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6eaugbyc7ajemwqbrodp4tu73uhjrkfbdmdaavvgjssnzopx6i>