From owner-freebsd-questions@freebsd.org  Thu Oct  1 18:35:35 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 17112A0D274
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu,  1 Oct 2015 18:35:35 +0000 (UTC) (envelope-from fbsd@xtaz.co.uk)
Received: from mail.xtaz.uk (tao.xtaz.uk [IPv6:2001:8b0:202::10])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id D14541347
 for <freebsd-questions@freebsd.org>; Thu,  1 Oct 2015 18:35:34 +0000 (UTC)
 (envelope-from fbsd@xtaz.co.uk)
Received: by mail.xtaz.uk (Postfix, from userid 1001)
 id 6913520AEEB6; Thu,  1 Oct 2015 19:35:30 +0100 (BST)
Date: Thu, 1 Oct 2015 19:35:30 +0100
From: Matt Smith <fbsd@xtaz.co.uk>
To: Christopher Sean Hilton <chris@vindaloo.com>
Cc: Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org
Subject: Re: Protecting sshd - Was: SSHguard & IPFW
Message-ID: <20151001183530.GE15788@xtaz.uk>
Mail-Followup-To: Matt Smith <fbsd@xtaz.co.uk>,
 Christopher Sean Hilton <chris@vindaloo.com>,
 Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org
References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org>
 <20151001033001.R67283@sola.nimnet.asn.au>
 <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX+k35+P1+zwbDMJw9T2Jw@mail.gmail.com>
 <20151001173313.T67283@sola.nimnet.asn.au>
 <20151001164935.GA1268@hadar.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
In-Reply-To: <20151001164935.GA1268@hadar.local>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 18:35:35 -0000

On Oct 01 12:49, Christopher Sean Hilton wrote:
>The crux of the issue is ssh with password auth. You are either
>allowing passwords or you aren't. If you aren't allowing passwords
>then the brute force industry chances of successfully compromising
>your servers are very very low and you are relatively safe. If you
>allow passwords, you're open to their attack and if you have any weak
>passwords, it's a matter of time.

There are two ports which provide a pam module which is very handy for 
adding two factor authentication to ssh. security/oath-toolkit is the 
one I use but there is also security/pam_google_authenticator. With one 
of these you can add a line to /etc/pam.d/sshd and use an app on your 
phone which supports HOTP/TOTP, I personally use the Google 
Authenticator app. You generate a secret and scan it into the phone with 
a QR code and it shows a 6 digit number which changes every 30 seconds.

Then if you log in to ssh with a certificate it works like normal. If 
you log in to ssh with a password then it *also* asks for the latest 
code from your phone in addition to the password. Hugely more secure as 
even if somebody on the internet knows your password, it's highly 
unlikely they will also know the code currently displayed on your phone.


-- 
Matt