Date: Thu, 1 Oct 2015 15:08:32 -0400 From: Christopher Hilton <chris@vindaloo.com> To: Matt Smith <fbsd@xtaz.co.uk> Cc: Ian Smith <smithi@nimnet.asn.au>, freebsd-questions@freebsd.org Subject: Re: Protecting sshd - Was: SSHguard & IPFW Message-ID: <9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27@vindaloo.com> In-Reply-To: <20151001183530.GE15788@xtaz.uk> References: <mailman.98.1443614402.37653.freebsd-questions@freebsd.org> <20151001033001.R67283@sola.nimnet.asn.au> <CALf6cgY0TYxugyMWd7ugpL5YgjKYiX%2Bk35%2BP1%2BzwbDMJw9T2Jw@mail.gmail.com> <20151001173313.T67283@sola.nimnet.asn.au> <20151001164935.GA1268@hadar.local> <20151001183530.GE15788@xtaz.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On Oct 1, 2015, at 2:35 PM, Matt Smith <fbsd@xtaz.co.uk> wrote:
>=20
> On Oct 01 12:49, Christopher Sean Hilton wrote:
>> The crux of the issue is ssh with password auth. You are either
>> allowing passwords or you aren't. If you aren't allowing passwords
>> then the brute force industry chances of successfully compromising
>> your servers are very very low and you are relatively safe. If you
>> allow passwords, you're open to their attack and if you have any weak
>> passwords, it's a matter of time.
>=20
> There are two ports which provide a pam module which is very handy for =
adding two factor authentication to ssh. security/oath-toolkit is the =
one I use but there is also security/pam_google_authenticator. With one =
of these you can add a line to /etc/pam.d/sshd and use an app on your =
phone which supports HOTP/TOTP, I personally use the Google =
Authenticator app. You generate a secret and scan it into the phone with =
a QR code and it shows a 6 digit number which changes every 30 seconds.
>=20
> Then if you log in to ssh with a certificate it works like normal. If =
you log in to ssh with a password then it *also* asks for the latest =
code from your phone in addition to the password. Hugely more secure as =
even if somebody on the internet knows your password, it's highly =
unlikely they will also know the code currently displayed on your phone.
I would add that to my bag of tricks and consider it worlds more secure =
than sshd with only passwords. Is this the same Authenticator App that =
Google uses for two factor? I=E2=80=99m not sure where I would put it on =
the spectrum between Passwords Alone and Ssh-Keys Alone but it would be =
far enough along on the More Secure side that I would trust it.
Chris
__o "All I was trying to do was get home from work."
_`\<,_ -Rosa Parks
___(*)/_(*)____.___o____..___..o...________ooO..._____________________
Christopher Sean Hilton [chris/at/vindaloo/dot/com]
> --
> Matt
--Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJWDYSwAAoJEE2ar4QHIpj4tPsQALfzadtEaDiGg4K2gjCrOsxR
wRgGzwXAFaOoMSCWUJhmkdaq1J0FUkqajfYWWqFYJ2huqvSwLUHsFFhL9G5jsjRu
TaJjMxG1JLY03EB+uvHceujBUI1ryBHUVPzp1buabAMxhjPbrRRbD6hCyer/XnLt
5flYMq1/Uz6b68hLWHgl4zE3Uw5W7MjAt3rog2GlOim76vEJ90GQZvrSGIBLcabU
AMCEVCZyaCJavtznYEtB4s4s+Wn0c/q1TbokhjMzNSN2i3y65NNqt6KcOnzcPHm7
V/OdHZCEaBBqtBUl6CeKG0YaGoRfo08wQ8fT6Rgy39n9PF648FaXkE4vNlkqHrll
Mj0mEzaDSfJSavSv6XlxeUIJ5lETiz/iGNBbvqAOvGR8TKC8KgJy931VltSFlxHc
e3JpmPZV9f7aY7zSXVeB1WIeQSIwf/HuI7R+FKyb0E5lmkg85+vS7vxE0MDlm/h3
V6RnroA41F0mIeKJS9sSDty7lq2RB0Mx8fmeCi5FitVoyyPQaZcFz3q4g4DmUlqH
nmH4pRVqTXJE29mvS3rWHqqFwNrp4nJdtTzFaNeOU2IPN84qhKjBgThMyxA6rgOX
aq6ETR4CfmfP4t1iw/yZtAsv5+8BJ4d66wRRVHcL++cgpr4qWGjSXz1wNN7xBS70
De24oIzvbcXjjUCypZhM
=YVAY
-----END PGP SIGNATURE-----
--Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27>