From nobody Tue Jan 30 05:06:51 2024 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TPCq94SlSz58HRf for ; Tue, 30 Jan 2024 05:08:05 +0000 (UTC) (envelope-from lain@fair.moe) Received: from mail.076.ne.jp (mail.076.ne.jp [45.76.218.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4TPCq70spFz4SM2 for ; Tue, 30 Jan 2024 05:08:03 +0000 (UTC) (envelope-from lain@fair.moe) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=076.ne.jp header.s=dkim header.b=oo8jnq45; dmarc=none; spf=none (mx1.freebsd.org: domain of lain@fair.moe has no SPF policy when checking 45.76.218.69) smtp.mailfrom=lain@fair.moe Received: from mail.076.ne.jp (localhost [127.0.0.1]) by mail.076.ne.jp (Postfix) with ESMTP id 4TPCpy72GQzW3Sn for ; Tue, 30 Jan 2024 14:07:54 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=076.ne.jp; h= user-agent:in-reply-to:content-disposition:content-type :mime-version:references:message-id:subject:to:from:date; s= dkim; t=1706591274; x=1709183275; bh=AaLG+pcudnv/KQ/8KOVsqpxkaMN 8xkK6z3CEXDwbE9s=; b=oo8jnq4544EqqsxoKIy8rzu+GdFAPMYloxEqlNHC8LR KPlZPOSwnvH0ABo8+7owaGMeL9JokfZkk351dQeRwf0psHDwXS5+ebqFdayJMsG8 zsX3+kTjz0fDPnuQKfnbXt+W205yXZm8K2lQjoFOaSMywjRikDQdDKV2jKAKJfbc ET1rkawWHqdtJLjgANh7hBYhfSed5ntwhjU+igKJjyxJlTcxi5J2PyyQhQyRps6X d+3khk8llQqb2VM7bK4advPH00rOCxlk1/XUY8oiLQqzX0s83HDK+Ci3BeJwa/Lv UzA6pNPh72f60tvCEuq/sy5kcFaq/utlNN1WuM4P0zw== X-Virus-Scanned: Debian amavisd-new at guest.guest Received: from mail.076.ne.jp ([127.0.0.1]) by mail.076.ne.jp (mail.076.ne.jp [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id S_LbAqNLmATB for ; Tue, 30 Jan 2024 14:07:54 +0900 (JST) Received: from mail.fair.moe (ip1.193.076.moe [219.117.254.193]) by mail.076.ne.jp (Postfix) with ESMTPSA id 4TPCpy0FbrzW0sl for ; Tue, 30 Jan 2024 14:07:53 +0900 (JST) Date: Tue, 30 Jan 2024 14:06:51 +0900 From: "lain." To: questions@freebsd.org Subject: Re: Re: Enabling SSHD Message-ID: <6eaugbyc7ajemwqbrodp4tu73uhjrkfbdmdaavvgjssnzopx6i@4ocegiuwuca3> X-Location: =?utf-8?B?IkVhcnRoL+WcsOeQgyI=?= X-Operating-System: "GNU/Linux" References: <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan> <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a6upnnm5qpel2qu6" Content-Disposition: inline In-Reply-To: <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan> User-Agent: NeoMutt/20231221 X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.90 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[076.ne.jp:s=dkim]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[fair.moe]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:20473, ipnet:45.76.192.0/19, country:US]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; R_SPF_NA(0.00)[no SPF record]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[076.ne.jp:+] X-Rspamd-Queue-Id: 4TPCq70spFz4SM2 --a6upnnm5qpel2qu6 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2024=E5=B9=B401=E6=9C=8829=E6=97=A5 08:47, the silly Paul M Foster claim= ed to have said: > I certainly hope this is not the case. I've been running Linux for 30 > years, and am looking to transition to FreeBSD. If passwords are prohibit= ed > for SSH access, that would be a major reason for me not to pursue FreeBSD > any further. FWIW, I disagree with the current fad of believing that > passwords should be eliminated for everything. I believe passwords, > properly implemented, are more than adequate for normal security. If you'= re > trying to secure NSA servers or something, by all means eliminate > passwords in favor of hardware keys or the like. >=20 > In any case, this doesn't provide any actual methods for resolving the > current problem. >=20 > Paul PGP keys are generally safer than passwords in the case of SSH. If you have password-based authentication enabled, you'll get a password prompt, which could be exploited if your password is known, or somebody guessed it. If you disable that and have key-based authentication instead, you can only login from a machine that has the public and private keys available, so if the NSA or some other criminal organization would try to break in, they'll be greeted with a "permission denied". If you're super paranoid, you can configure pf to only allow connections to port 22 from specific hosts only on top of that. I personally use 64 character long, randomly generated passwords with lowercase, uppercase, digits, and special characters for each login, but way too many people don't. And unlike the well known 2FA stupidity, PGP keys can be generated and configured on the remote server in just a few seconds. By the way, if you use Git, you probably already have a PGP key. However, if that Git server happens to be Microsoft Github or some Gitea/Gitlab/Forgejo instance hosted behind Cloudflare or Fastly, better generate separate PGP keys for each one of them, so you can easily revoke access to bad actors while maintaining access to your own servers. --=20 lain. Did you know that? 90% of all emails sent on a daily basis are being sent in plain text, and i= t's super easy to intercept emails as they flow over the internet? Never send passwords, tokens, personal information, or other volunerable in= formation without proper PGP encryption! If you're writing your emails unencrypted, please consider sending PGP encr= ypted emails for security reasons. You can find my PGP public key at: https://fair.moe/lain.asc Every good email client is able to send encrypted emails. If yours can't, then you should consider switching to a secure email client= , because yours just sucks. My recommendations are Claws Mail or NeoMutt. For instructions on how to encrypt your emails: https://unixsheikh.com/tutorials/gnupg-tutorial.html --a6upnnm5qpel2qu6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEozVhUpXECiNYIKIXtWNzC1Y29b0FAmW4g+EACgkQtWNzC1Y2 9b0RGgv/bmQ1XV8DINGCGGh2nDg0zGC3HrX3JvdBV0IOlnlpzhMzZ3Cml+Et6v9A qqSkOlP3uwffKYO1rFmsVuGV59yTjJ+vRYgWuzGqUrcLNk/Yk58noP7z3rqSBgKY L/tfCQkd0gDMEjzIdqXX9yzWilCs3o+mpn3k5+mG2T0rGhmKlXVT8x9AEFBSxvwp bk4A4wBxqNTUzW84ZlEQI7f40JKbrRBVQDqSJr7Y3NwHax1nbnFQhgf1cMNatSF1 Kc0IfqR/5frEG85cUMLyQ7yHcKTcFHQhBwIjY1z/IfYNWjcRVcd2RK+BNRlCL9Of VigqvD+RoSVuoCjKZ2fZRn+ipbKkNMBISRiHb4ojftvtzPHoDOfseWF8pU4e90Oh 7QHTsIEBz2mskeRoP0Av04gWlM4BVKlhN93NTxStVswbPsC9+B/kbUF1b7s8XOhx VDumPSc31g4D9vEFwpt2adnQcJdWmnZqo0lNGg8olApdwFpjRj3AkFRAQ37q2qTA ntdWYmSx =Sx2p -----END PGP SIGNATURE----- --a6upnnm5qpel2qu6--