Whew, thanks!
I think I can eliminate passwords on my webhost (joyent, pretty sophisticated)
using just PKI/ssh. And all my macs allow turning off passwords, using keys
only. And my iPad has a ssh/vnc app that should let me use keys too. My phone
may have problems, but it is jailbroken and has ssh built in so probably can
work fine too.
That sounds like I'm getting there .. and I'll definitely not annoy The Big
Guys.
One question I've puzzled over is use of keys. Some folks claim you should
have one private key for yourself and use it everywhere. If you think it gets
stolen, then you remove the corresponding public key on the servers. The other
approach is to have a key-pair per device as well as one for yourself. So if
your phone is stolen, you remove its public key from the services you use, but
everything else works fine.
I'm not quite sure which way to go, but am tending to key-pair per device, as
well as one "global" pair for "me" used for signing and similar things.
Any advice?
-- Owen
On Dec 24, 2010, at 1:46 PM, Parks, Raymond wrote:
> Owen,
>
> Openssh with PKI will frustrate all but a high-level attacker targeting you,
> specifically (try not to annoy Hu Jin Tao or Vladimir Putin :-). Leaving the
> ssh well-known port open to the Internet means your system will constantly
> receive attempts to connect. It's annoying and uses up cycles and bandwidth.
> Port-knocking and using an alternate port reduce that annoyance considerably.
>
> If you've got ssh working the scp is a better alternative than ftp.
>
> If you're feeling mean, you can set up a scheme that answers all ports but,
> with the exception of the ones you're using, returns a TCP window length of
> 0. This is a perfectly valid response when a server can't handle further
> requests. It basically puts scanning and portmapping programs into an
> infinite loop, however.
>
> What's scary is that most web-sites hash your password without salt using
> md5. The dual-GPU systems I purchased earlier can brute force 2.4 billion
> md5 hashes per minute per GPU. More specialized systems with more GPUs or
> using the cloud GPUs can do proportionately better. Using rainbow tables
> makes mass password guessing (as in the leaked Gawker info) possible.
>
> I use a formula that includes an element of the web-site with one of several
> standard salts. I can usually find the right password within the try count.
>
> Ray Parks
>
>
> ----- Original Message -----
> From: Owen Densmore [mailto:[email protected]]
> Sent: Friday, December 24, 2010 09:05 AM
> To: The Friday Morning Applied Complexity Coffee Group <[email protected]>
> Subject: Re: [FRIAM] Passwords
>
>> From: "Parks, Raymond" <[email protected]>
>> Subject: Re: [FRIAM] Passwords
>>
>> Folks,
>>
>> I decided to put my advice about securing home networks in this message,
>> along with password advice. ....
>
> Ray: Would not trust a PKI system (openssh) with passwords disabled? What
> sort of vulnerability would it face .. other than someone stealing the
> private key? I had naively assumed it would be secure, and planned a set of
> tunnels for screen sharing, file sharing, and ssh. That's basically my goal:
> having lots of devices share resources like screen (VNC) and data (ftp/ssh).
>
> The port-knocking scheme seems very interesting and there is a command-line
> client/daemon for several OSs: http://www.zeroflux.org/projects/knock
>
> I completely agree the limited password symbols/length of many sites make
> things a lot harder. Given some reasonable pass-phrase with unique
> modification for each site makes a lot of sense, but unfortunately the
> differing passwords allowed makes this impossible.
>
> -- Owen
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> lectures, archives, unsubscribe, maps at http://www.friam.org
>
>
>
> ============================================================
> FRIAM Applied Complexity Group listserv
> Meets Fridays 9a-11:30 at cafe at St. John's College
> lectures, archives, unsubscribe, maps at http://www.friam.org
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
