Date: Wed, 24 Jun 2009 16:50:01 +0200 From: Erik Norgaard <norgaard@locolomo.org> To: cpghost <cpghost@cordula.ws> Cc: freebsd-questions@freebsd.org Subject: Re: Best practices for securing SSH server Message-ID: <4A423D19.4050602@locolomo.org> In-Reply-To: <20090624140221.GA1974@phenom.cordula.ws> References: <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> <20090624140221.GA1974@phenom.cordula.ws>
next in thread | previous in thread | raw e-mail | index | archive | help
cpghost wrote: > On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote: > But port knocking can be useful and provide more security *if* you > modify the kocking sequence algorithmically and make it, e.g. a > function of time, source IP/range (and other factors). This could > prevent a whole class of replay-attacks. > > Of course, you can modify the keys/passwords algorithmically and > make them a function of time, source IP etc. as well... ;-) I don't think it's worth wasting time trying to repair a conceptually bad idea, in particular when there are so many alternatives. Whichever way you turn around this idea, it boils down to a shared secret. The security of a shared secret is inversely proportional to the people knowing it, while the trouble of changing it is proportional to the number knowing it. You've already got individual passwords in place. If your knock sequence/shared secret is randomly chosen of say 1 million (any number will do for the example) won't you get better security increasing the entropy of the individual passwords equivalently? > And while we're at it: how about real OPIE? Or combining SSH keys, > OPIE, and port knocking? What is the easier solution: implement port knocking or doubling the length of your ssh keys? Each of the technologies you mention can be tuned for higher security using longer passwords, checking entropy when people choose a new password, more ports in the range of your combination, more knocks etc. I don't get why you wish to combine different technologies rather than tune the well tested and tried already implemented out of the box methods for higher security. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A423D19.4050602>