Date: Wed, 24 Jun 2009 17:12:59 +0200 From: cpghost <cpghost@cordula.ws> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <20090624151259.GA2367@phenom.cordula.ws> In-Reply-To: <4A423D19.4050602@locolomo.org> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> <20090624140221.GA1974@phenom.cordula.ws> <4A423D19.4050602@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 24, 2009 at 04:50:01PM +0200, Erik Norgaard wrote: > cpghost wrote: > > On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > > But port knocking can be useful and provide more security *if* you > > modify the kocking sequence algorithmically and make it, e.g. a > > function of time, source IP/range (and other factors). This could > > prevent a whole class of replay-attacks. > > > > Of course, you can modify the keys/passwords algorithmically and > > make them a function of time, source IP etc. as well... ;-) > > I don't think it's worth wasting time trying to repair a conceptually > bad idea, in particular when there are so many alternatives. > > Whichever way you turn around this idea, it boils down to a shared > secret. The security of a shared secret is inversely proportional to the > people knowing it, while the trouble of changing it is proportional to > the number knowing it. > > You've already got individual passwords in place. If your knock > sequence/shared secret is randomly chosen of say 1 million (any number > will do for the example) won't you get better security increasing the > entropy of the individual passwords equivalently? Agreed. > > And while we're at it: how about real OPIE? Or combining SSH keys, > > OPIE, and port knocking? > > What is the easier solution: implement port knocking or doubling the > length of your ssh keys? It all boils down to this: do you login from a secure machine or not? Each tool has its own set of uses. When I want to log in from a public terminal, I prefer OPIE; when I log in from home, I prefer SSH keys. Port knocking is an interesting technique, but as you pointed out, its only useful on machines with very few accounts. > Each of the technologies you mention can be tuned for higher security > using longer passwords, checking entropy when people choose a new > password, more ports in the range of your combination, more knocks etc. > > I don't get why you wish to combine different technologies rather than > tune the well tested and tried already implemented out of the box > methods for higher security. I totally agree. > BR, Erik > > -- > Erik N?rgaard > Ph: +34.666334818/+34.915211157 http://www.locolomo.org -cpghost. -- Cordula's Web. http://www.cordula.ws/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090624151259.GA2367>