From owner-freebsd-questions@FreeBSD.ORG Wed Jun 24 14:50:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7AD6B1065670 for ; Wed, 24 Jun 2009 14:50:03 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 27B0B8FC08 for ; Wed, 24 Jun 2009 14:50:02 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from beta.1-16-172-dyn.locolomo.org (beta.1-16-172-dyn.locolomo.org [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 00A741C1A67; Wed, 24 Jun 2009 16:50:01 +0200 (CEST) Message-ID: <4A423D19.4050602@locolomo.org> Date: Wed, 24 Jun 2009 16:50:01 +0200 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302) MIME-Version: 1.0 To: cpghost References: <4A406D81.3010803@locolomo.org> <4A4109DE.3050000@locolomo.org> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> <20090624140221.GA1974@phenom.cordula.ws> In-Reply-To: <20090624140221.GA1974@phenom.cordula.ws> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 14:50:04 -0000 cpghost wrote: > On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > But port knocking can be useful and provide more security *if* you > modify the kocking sequence algorithmically and make it, e.g. a > function of time, source IP/range (and other factors). This could > prevent a whole class of replay-attacks. > > Of course, you can modify the keys/passwords algorithmically and > make them a function of time, source IP etc. as well... ;-) I don't think it's worth wasting time trying to repair a conceptually bad idea, in particular when there are so many alternatives. Whichever way you turn around this idea, it boils down to a shared secret. The security of a shared secret is inversely proportional to the people knowing it, while the trouble of changing it is proportional to the number knowing it. You've already got individual passwords in place. If your knock sequence/shared secret is randomly chosen of say 1 million (any number will do for the example) won't you get better security increasing the entropy of the individual passwords equivalently? > And while we're at it: how about real OPIE? Or combining SSH keys, > OPIE, and port knocking? What is the easier solution: implement port knocking or doubling the length of your ssh keys? Each of the technologies you mention can be tuned for higher security using longer passwords, checking entropy when people choose a new password, more ports in the range of your combination, more knocks etc. I don't get why you wish to combine different technologies rather than tune the well tested and tried already implemented out of the box methods for higher security. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org