Date: Thu, 13 Aug 2020 12:12:48 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "Jack L." <xxjack12xx@gmail.com> Cc: Aryeh Friedman <aryeh.friedman@gmail.com>, FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end Message-ID: <CAHu1Y71=fjE1o0CG5dCzOdmVtaDj8EHBA3fH5Aq7YDLo2OAXSQ@mail.gmail.com> In-Reply-To: <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com> References: <CAGBxaXmg0DGSEYtWBZcbmQbqc2vZFtpHrmW68txBck0nKJak=w@mail.gmail.com> <CAGBxaX=XbbFLyZm5-BO=6jCCrU%2BV%2BjubxAkTMYKnZZZq=XK50A@mail.gmail.com> <CALeGphwfr7j-xgSwMdiXeVxUPOP-Wb8WFs95tT_%2Ba8jig_Skxw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Unless they are completely clueless, that's easily detected. Although there is evidence suggestive of them being clueless... It is possible to enforce MFA with SSH in a number of ways. E.g., pam_google_authenticator yubikeys with captive ssh private key + touch-to-sign required etc. On Thu, Aug 13, 2020 at 12:05 PM Jack L. <xxjack12xx@gmail.com> wrote: > > Just change the ssh/rdp ports? > > On Thu, Aug 13, 2020 at 11:59 AM Aryeh Friedman > <aryeh.friedman@gmail.com> wrote: > > > > Forgot to ask how common is such idiocy? And is it becoming more common? > > > > On Thu, Aug 13, 2020 at 2:56 PM Aryeh Friedman <aryeh.friedman@gmail.co= m > > > wrote: > > > > > The hosting company for one of our clients sent the following reply t= o > > > us/them when we asked them to setup end user accounts on a dedicated > > > Windows Server, FreeBSD box and CentOS box (all VM's on the same physical > > > machine with no other VM's on the physical machine) and being told we > > > needed scriptable access (not web based non-scriptable) to the window= s > > > desktop and shell accounts (including the ability to sudo) and they agreed > > > to provide it: > > > > > > "[Insert client name here], we do not allow RDP or SSH into our > > > datacenter. They are the primary vehicles for ransomware and cryptolocker > > > breaches. We utilize a secure access portal with multi-factor > > > authentication to ensure you don't get breached." > > > > > > I kind of understand RDP (but we have had bad luck with VNC on the same > > > hosting provider in the past so we prefer RDP), but SSH!?!?!?!?! Their > > > idea of a "two factor" authentication is each connection will only be > > > allowed via a web portal and must use a one-time password sent the users > > > smartphone. Not only does this make automated deploy impossible it is a > > > complete show stopper since our service is IoT and uses its own custo= m > > > protocol. > > > > > > So how do we/the client tell the hosting company they are full of sh*= t > > > (the client has a 3 year contract with a pay in full to break clause with > > > them which would be over $100k to break) > > > > > > -- > > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > > > > > > > > -- > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to " freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " freebsd-questions-unsubscribe@freebsd.org" -- "Well," Brahm=C4=81 said, "even after ten thousand explanations, a fool is = no wiser, but an intelligent person requires only two thousand five hundred." - The Mah=C4=81bh=C4=81rata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71=fjE1o0CG5dCzOdmVtaDj8EHBA3fH5Aq7YDLo2OAXSQ>