From owner-freebsd-questions@FreeBSD.ORG Sat May 10 15:42:17 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD01E37B401 for ; Sat, 10 May 2003 15:42:17 -0700 (PDT) Received: from lilzcluster.liwest.at (lilzclust02.liwest.at [212.33.55.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA1D843FAF for ; Sat, 10 May 2003 15:42:15 -0700 (PDT) (envelope-from dgw@liwest.at) Received: from cm58-27.liwest.at by lilzcluster.liwest.at (8.10.2/1.1.2.11/08Jun01-1123AM) id h4AMg6V0001549342; Sun, 11 May 2003 00:42:06 +0200 (MEST) From: Daniela To: William Palfreman Date: Sun, 11 May 2003 00:41:39 +0000 User-Agent: KMail/1.5.1 References: <20030509000921.P66401-100000@alpha.yumyumyum.org> <200305101108.13319.dgw@liwest.at> <20030510122815.F79934@ndhn.yna.cnyserzna.pbz> In-Reply-To: <20030510122815.F79934@ndhn.yna.cnyserzna.pbz> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200305110041.39601.dgw@liwest.at> cc: Kenneth Culver cc: questions@freebsd.org cc: Kirill Pisman Subject: Re: Why is port 22 open by default? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 May 2003 22:42:18 -0000 On Saturday 10 May 2003 11:52, William Palfreman wrote: > On Sat, 10 May 2003, Daniela wrote: > > > SSH is fairly secure, but there is no 100% secure remote access > > > solution. That said, you should be fine with ssh enabled, I've had it > > > enabled for ages without problems, just make sure you pick a good > > > password. > > > > Sounds like SSH is secure enough for me. Or is a 19 character password > > too short? :-) > > A word of caution here. There have been plenty of previous releases of > OpenSSH that have been cracked, often for reasons external to it, like > the gzip compression library overflow, and more recent issues with > OpenSSL. Unless you really need cross-Internet access to a machine, > don't enable ssh logins on an Internet facing server. If you must have > remote access from the Internet, consider using something more secure > than than passwords for authentication. I use rsa/dsa key > authentication only. Even then, you must pay special attention to > security announcements that affect OpenSSH. Just one question: Why isn't rsa/dsa key authentication the default? Is it hard to set up? Are there other drawbacks?