From owner-freebsd-questions@freebsd.org Thu Oct 1 19:08:36 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 48BF9A0DCC7 for ; Thu, 1 Oct 2015 19:08:36 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from yavin.vindaloo.com (yavin.vindaloo.com [72.52.97.79]) by mx1.freebsd.org (Postfix) with ESMTP id 2BA43183C for ; Thu, 1 Oct 2015 19:08:35 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from anza.vindaloo.com (ool-457cdf63.dyn.optonline.net [69.124.223.99]) by yavin.vindaloo.com (Postfix) with ESMTP id 26AA85082C for ; Thu, 1 Oct 2015 15:08:34 -0400 (EDT) Received: from [172.24.147.1] (unknown [172.24.147.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anza.vindaloo.com (Postfix) with ESMTPSA id 31FFF10111; Thu, 1 Oct 2015 15:08:33 -0400 (EDT) Subject: Re: Protecting sshd - Was: SSHguard & IPFW Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail 2.5.2 From: Christopher Hilton In-Reply-To: <20151001183530.GE15788@xtaz.uk> Date: Thu, 1 Oct 2015 15:08:32 -0400 Cc: Ian Smith , freebsd-questions@freebsd.org Message-Id: <9FCF0A95-1BB7-4660-B9BB-A897CC5ABE27@vindaloo.com> References: <20151001033001.R67283@sola.nimnet.asn.au> <20151001173313.T67283@sola.nimnet.asn.au> <20151001164935.GA1268@hadar.local> <20151001183530.GE15788@xtaz.uk> To: Matt Smith X-Mailer: Apple Mail (2.2104) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2015 19:08:36 -0000 --Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Oct 1, 2015, at 2:35 PM, Matt Smith wrote: >=20 > On Oct 01 12:49, Christopher Sean Hilton wrote: >> The crux of the issue is ssh with password auth. You are either >> allowing passwords or you aren't. If you aren't allowing passwords >> then the brute force industry chances of successfully compromising >> your servers are very very low and you are relatively safe. If you >> allow passwords, you're open to their attack and if you have any weak >> passwords, it's a matter of time. >=20 > There are two ports which provide a pam module which is very handy for = adding two factor authentication to ssh. security/oath-toolkit is the = one I use but there is also security/pam_google_authenticator. With one = of these you can add a line to /etc/pam.d/sshd and use an app on your = phone which supports HOTP/TOTP, I personally use the Google = Authenticator app. You generate a secret and scan it into the phone with = a QR code and it shows a 6 digit number which changes every 30 seconds. >=20 > Then if you log in to ssh with a certificate it works like normal. If = you log in to ssh with a password then it *also* asks for the latest = code from your phone in addition to the password. Hugely more secure as = even if somebody on the internet knows your password, it's highly = unlikely they will also know the code currently displayed on your phone. I would add that to my bag of tricks and consider it worlds more secure = than sshd with only passwords. Is this the same Authenticator App that = Google uses for two factor? I=E2=80=99m not sure where I would put it on = the spectrum between Passwords Alone and Ssh-Keys Alone but it would be = far enough along on the More Secure side that I would trust it. Chris __o "All I was trying to do was get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)____.___o____..___..o...________ooO..._____________________ Christopher Sean Hilton [chris/at/vindaloo/dot/com] > -- > Matt --Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWDYSwAAoJEE2ar4QHIpj4tPsQALfzadtEaDiGg4K2gjCrOsxR wRgGzwXAFaOoMSCWUJhmkdaq1J0FUkqajfYWWqFYJ2huqvSwLUHsFFhL9G5jsjRu TaJjMxG1JLY03EB+uvHceujBUI1ryBHUVPzp1buabAMxhjPbrRRbD6hCyer/XnLt 5flYMq1/Uz6b68hLWHgl4zE3Uw5W7MjAt3rog2GlOim76vEJ90GQZvrSGIBLcabU AMCEVCZyaCJavtznYEtB4s4s+Wn0c/q1TbokhjMzNSN2i3y65NNqt6KcOnzcPHm7 V/OdHZCEaBBqtBUl6CeKG0YaGoRfo08wQ8fT6Rgy39n9PF648FaXkE4vNlkqHrll Mj0mEzaDSfJSavSv6XlxeUIJ5lETiz/iGNBbvqAOvGR8TKC8KgJy931VltSFlxHc e3JpmPZV9f7aY7zSXVeB1WIeQSIwf/HuI7R+FKyb0E5lmkg85+vS7vxE0MDlm/h3 V6RnroA41F0mIeKJS9sSDty7lq2RB0Mx8fmeCi5FitVoyyPQaZcFz3q4g4DmUlqH nmH4pRVqTXJE29mvS3rWHqqFwNrp4nJdtTzFaNeOU2IPN84qhKjBgThMyxA6rgOX aq6ETR4CfmfP4t1iw/yZtAsv5+8BJ4d66wRRVHcL++cgpr4qWGjSXz1wNN7xBS70 De24oIzvbcXjjUCypZhM =YVAY -----END PGP SIGNATURE----- --Apple-Mail=_E8697054-0D92-4AD5-91F7-6D31B2C86D7C--