Re: OT: Safe to access SSH server from work?
On Sat, 14 May 2011 23:15:33 +0900 Joel Rees joel.r...@gmail.com wrote: ... Disable root login on ssh entirely. (/etc/ssh/sshd_config has that enabled in my more-or-less default install. That is, I think, so you don't find yourself in a catch-22 when installing remotely. Should be in a list of things to do afterboot.) From /usr/share/doc/openssh-server/README.Debian: PermitRootLogin set to yes -- This is now the default setting (in line with upstream), and people who asked for an automatically-generated configuration file when upgrading from potato (or on a new install) will have this setting in their /etc/ssh/sshd_config file. Should you wish to change this setting, edit /etc/ssh/sshd_config, and change: PermitRootLogin yes to: PermitRootLogin no Having PermitRootLogin set to yes means that an attacker that knows the root password can ssh in directly (without having to go via a user account). If you set it to no, then they must compromise a normal user account. In the vast majority of cases, this does not give added security; remember that any account you su to root from is equivalent to root - compromising this account gives an attacker access to root easily. If you only ever log in as root from the physical console, then you probably want to set this value to no. As an aside, PermitRootLogin can also be set to without-password or forced-commands-only - see sshd(8) for more details. DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! The argument above is somewhat condensed; I have had this discussion at great length with many people. If you think the default is incorrect, and feel strongly enough to want to argue about it, then send email to debian-...@lists.debian.org. I will close bug reports claiming the default is incorrect. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110520132526.e4e508cb.cele...@gmail.com
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 6:14 AM, George pinkisntw...@gmail.com wrote: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. What are the configuration steps that I will need to do on the server and the client to be able to work access the computer from my workplace? Late to the party and I'm sure I'm going to generate some heat, but there's sure a lot of misinformation in this thread. First, don't trust anything you read in this thread, including what I'm telling you, without checking in the usual places. (Remember that wikipedia can be edited by people you don't trust, so check the references, check back on different days.) The openbsd project is where openssh came from, so resources under openbsd.org probably deserve a bit more weight than this list, even though you think you know many people here (and you don't know me). openssh.com is the official site for openssh. Disable root login on ssh entirely. (/etc/ssh/sshd_config has that enabled in my more-or-less default install. That is, I think, so you don't find yourself in a catch-22 when installing remotely. Should be in a list of things to do afterboot.) Don't use port 22. I know that it's just obfuscation, but every speed bump helps. You will definitely get probed regular on port 22. Probes on higher ports will be fewer, and that helps. And you can put tarpitting firewall rules on port 22, for a little spitting-in-the-face-of-the-enemy. Just for fun, you can port-forward from a different external port to give the intruders more to think about when they succeed in compromising other internal boxes. On the other hand, you than have to remember what you did, which is one of the down-sides to obscurity. Anyway, look up the uses of the port you decide to use instead, you probably don't want to use one that is typically used as in botnets and their control networks. Port knocking is useful, particularly if you aren't ssh-ing all the time. On the other hand, if you have reason to think an attacker is targeting your box specifically, recognize that port knocking can be spotted. If you have reason to worry about that sort of stuff, customize your port-knocker so that it changes the pattern in a pseudo-random one-time-pad sort of way. (More things to keep track of, yes. Don't do this unless you really have to worry about observers and attackers.) Keys+passphrases vs. passwords, well, break out bc to do the calculation: Using the full keyboard, you're working on 95 ^ 15 possible combinations on a 15-letter password: (95^15)/(1024*1024*60*60*24*365) 14010304008739644 We're not talking about ten or a hundred years to even a highly likely successful attack. Still, since that pair of 1024s in the denominator is a lot more tries than once a second, use the usual suspects to keep sshd from accepting more than one login attempt per second total (adjust that by the actual number of near concurrent valid login attempts you actual expect, but more than one second between should be unnecessary) and temporarily drop repeated attempts from the same IP. Temporary because you know you're going to mess it up three times in a row sometimes, and a five-minute wait is better than having to go home and edit a block rules list. But recognize that your brain has entropy eaters. l33t5p3@| can actually reduce entropy if the attacker has seen some of the passwords your brain has generated in the past. Probably wisest to use a random password generator that someone you trust wrote. The problem I have with keys is that MSWindows boxes tend to grow weeds. Even the BIOS is not necessarily safe any more. And bugged keyboards have been mentioned. (Weird. Did you know that standard keyboards can have their controllers re-written remotely via flash vulnerabilities?) Depending on your work environment, you may want to assume that even booting a liveCD is not going to clear the keyloggers. So, okay, having both the physical key (on a hardware write-protectable key) and a strong passphrase for the key can raise a speedbump because it requires two pieces of malware to be on the machine. But anything running in a compromised machine can be compromised, so we assume that the machine itself can grab the key at some point in the retrieval and transmission. One of those dedicated key devices with a keypad that requires you to type you pin in t get out he passphrase does avoid all keyloggers on the MSWindows machine. With a liveCD (or hardware write-protected liveUSB) you have slightly better odds of beating the malware on the host, and you could have an encrypted one-time-pad on the CD or USB. And only malware in the BIOS could get close to the one-time pad. Frankly, I'm more inclined to spring for an Android phone if I really need to log in from home. -- To UNSUBSCRIBE, email to
Re: OT: Safe to access SSH server from work?
On Jo, 05 mai 11, 23:09:02, Brian wrote: You can be confident that the default Debian install of openssh-server has a configuration which is very safe. There is nothing for you to do. While I wouldn't say that the Debian (actually upstream?) configuration is unsafe, there are ways to improve it, depending on your specific use case. Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: OT: Safe to access SSH server from work?
2] in /etc/hosts.allow limit access to sshd accordingly (sshd: WORKPLACE IP); I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd / xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script on debian?
Re: OT: Safe to access SSH server from work?
On May 5, 2011 8:15 PM, Perry Thompson ryperven...@yahoo.fr wrote: On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? I suppose you could keep your public key with you on a USB drive and only put it on the computer when you need it, however I'm not sure how secure that would be :/ Something you have - thumb drive Something you know - the ip / name of your machine It's two factor enough imo.
Re: OT: Safe to access SSH server from work?
George: On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote: If you only allowing key-based authentication and install security patches in a timely manner, the risk from running a public OpenSSH server is low. Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. What exactly is a key login? You can authenticate to an OpenSSH server using a password, or using a keyfile. On the client side, simply run 'ssh-keygen' to create a keypair. The computer that needs to be accessed is running Windows and I have installed WinSSHD on it. If your server was running linux, you would just need to add your public key (generated by ssh-keygen) to the ~/.ssh/authrized_keys file. I cannot help with WinSSHD. I see a DSA host key on its configuration screen, accompanied by an MD5 fingerprint. The SSH protocol allows for both server and client authentication. The host key is like an SSL certificate: it is there so that clients can make sure they are communicating to the server they think they do. When I connected to it from my Debian box I received the aforementioned fingerprint. Is this process the key login you're referring to? No, that's the host key, not the client key. I'm asking because in the configuration screen of WinSSHD there's also an indication of No RSA host key is currently employed. What is the difference between the two keys? That probably only means that your server has a host key for the DSA algorithm, but none for RSA. You don't need to care about that. J. -- I am getting worse rather than better. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: OT: Safe to access SSH server from work?
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote: You can authenticate to an OpenSSH server using a password, or using a keyfile. On the client side, simply run 'ssh-keygen' to create a keypair. So the attacker needs to guess my private key instead of my password. How does that make his life more difficult, assuming my password was very strong? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktikdtkmvc2hhn3lflfs07o_xjib...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 01:59:10 -0400, shawn wilson wrote: I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd / xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script on debian? Daemons can also be linked against libwrap. sshd is (ldd /usr/sbin/sshd). -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506084328.GG13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri, May 06, 2011 at 11:54:28AM +0300, George wrote: On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote: You can authenticate to an OpenSSH server using a password, or using a keyfile. On the client side, simply run 'ssh-keygen' to create a keypair. So the attacker needs to guess my private key instead of my password. How does that make his life more difficult, assuming my password was very strong? No, the attacker needs to HAVE your private key and KNOW the pass phrase for that key. Assuming you keep your key secure and have a decent pass phrase his life should be very difficult indeed. Cheers, Tom signature.asc Description: Digital signature
Re: OT: Safe to access SSH server from work?
On 5/6/11, Tom Furie t...@furie.org.uk wrote: So the attacker needs to guess my private key instead of my password. How does that make his life more difficult, assuming my password was very strong? No, the attacker needs to HAVE your private key and KNOW the pass phrase for that key. Assuming you keep your key secure and have a decent pass phrase his life should be very difficult indeed. He still needs to guess a string, just like he does when password authentication is used. What am I missing? Probably a lot, but I'm not very experienced in security matters. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTimC0J4ZMR8LZpEDwNDSa5f=+-n...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
Rob Owens row...@ptd.net wrote: [...] you can run your ssh server on a port other than 22 I can thoroughly recommend this. Actually, to be pedantic, you can set port forwarding from your router's port N to your server's port 22. Other people have mentioned that you should put AllowUsers in your sshd_config file, to restrict the accounts that could be permitted to log in. Another item that's probably worth considering from a legal point of view is to use the Banner option - also in sshd_config - to print a message telling people to go away. (This has no technical value, but could be used to support any legal action: I understand it helps block the Oh, sorry, I must have logged in to the wrong system argument.) Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/0dpc98x9tq@news.roaima.co.uk
Re: OT: Safe to access SSH server from work?
On Thu 05 May 2011 at 20:54:12 -0400, Rob Owens wrote: You could run Debian Live on a USB stick (or any other live distro, really). Boot your work machine with that, and you will have a trusted machine. Use that to ssh to your home machine. I suppose this 'trusted machine' doesn't have a key logger on it? And follow the advice that others have already given you. Specifically, disallow password authentication. That is a biggie. Even if you have a strong password, others on your home machine may not. As already said, you can use AllowUsers in sshd_config to allow only specific users to have ssh access. A strong password is no less secure in brute force terms than a key so there is no reason to disallow it on those grounds. You can also be sure you have never left it at home or elsewhere. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506091352.GH13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 02:06:17 -0400, shawn wilson wrote: Something you have - thumb drive Something you know - the ip / name of your machine With an untrusted machine on a network you do not control both are capable of becoming the property of someone else. It's two factor enough imo. From the server's viewpoint this is single factor only. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506092428.GI13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 11:54:28 +0300, George wrote: So the attacker needs to guess my private key instead of my password. How does that make his life more difficult, assuming my password was very strong? It is easy to construct a password which would take 10,000 years to guess or brute force. A key might succumb after 10,000,000 years. Imagine you are an attacker. You want an easy life. What decision would you make? Remember also that the password is stored on a medium which in normal circumstances is 100% safe and always available. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506094817.GJ13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 09:06, shawn wilson ag4ve...@gmail.com wrote: I suppose you could keep your public key with you on a USB drive and only put it on the computer when you need it, however I'm not sure how secure that would be :/ Something you have - thumb drive Something you know - the ip / name of your machine It's two factor enough imo. It the client is compromised, then the attacker will also know the ip/name of your machine once you use it on that computer. Furthermore, the thumbdrive is not something you have, it is only used to transport something you know, so that will be compromised on the client as well. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktikpywkopjhjk6pypkjd_y7tpfm...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 12:02, Tom Furie t...@furie.org.uk wrote: No, the attacker needs to HAVE your private key and KNOW the pass phrase for that key. Assuming you keep your key secure and have a decent pass phrase his life should be very difficult indeed. Yes, but using that key on a computer that he does not trust is NOT keeping the key secure. To answer the OP, there is no straightforward way to connect to your machine from a computer that you don't trust and still be safe. You can try port-knocking which will slow down an attacker until he figures out that is what you are doing from the compromised machine. You might also have better luck with one-time passwords or one-time keys. Or, if it is possible, set up a web interface to whatever you want to control on your home computer and do it in a browser. That will limit the expose of the machine to whatever services you are controlling from the browser. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktimf4dvqpht_e5awrkmwnpjnnzv...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
George: On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote: You can authenticate to an OpenSSH server using a password, or using a keyfile. On the client side, simply run 'ssh-keygen' to create a keypair. So the attacker needs to guess my private key instead of my password. Exactly. How does that make his life more difficult, assuming my password was very strong? A keyfile is longer and contains more entropy. I doubt your is using a password with 1024 bits of entropy, let alone 2048 or 4096. Even for only 1024 bits of entropy you would need a passphrase of 128 characters to match a keyfile's strength. And that's only if you assume your password has an entropy of 8 bits per character, which probably isn't the case (see here: http://en.wikipedia.org/wiki/Password_strength#Random_passwords and the table below that). If an attacker has access to your passphrase-protected private key file, security is of course reduced to your passphrase's strength, which puts you into almost the same situation as with a login without a keyfile. J. -- I spend money without thinking on products and clothes that I believe will enhance my social standing. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 12:13, Brian a...@cityscape.co.uk wrote: You could run Debian Live on a USB stick (or any other live distro, really). Boot your work machine with that, and you will have a trusted machine. Use that to ssh to your home machine. I suppose this 'trusted machine' doesn't have a key logger on it? Check the keyboard cable, good idea. Only a hardware keylogger would be an attack vector once the machine is booted from removable media. A key would help here, as it is not typed in anyway. And follow the advice that others have already given you. Specifically, disallow password authentication. That is a biggie. Even if you have a strong password, others on your home machine may not. As already said, you can use AllowUsers in sshd_config to allow only specific users to have ssh access. A strong password is no less secure in brute force terms than a key so there is no reason to disallow it on those grounds. You can also be sure you have never left it at home or elsewhere. A strong password can be keylogged, a key cannot. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktikzth0omdgrz_gbuvhoevtyvmf...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 11:43, Brian a...@cityscape.co.uk wrote: I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd / xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script on debian? Daemons can also be linked against libwrap. sshd is (ldd /usr/sbin/sshd). Could you please expand on this a bit please. I'm not sure that I understand the relevance. If there is some fine document that I should be reading then a link to it would be appreciated. I like to read the fine manual, but for this hole in my knowledge I'm not sure which manual I should be reading. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktimvlqebnhmazo0q5n5hyfx6ppq...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Friday 6 May, 2011 02:13:52 Brian wrote: A strong password is no less secure in brute force terms than a key so there is no reason to disallow it on those grounds. You can also be sure you have never left it at home or elsewhere. What you're missing is the difference between someone trying to hack from the client machine... and a remote script trying to brute-force your server. Big difference. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105060451.16975.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 13:39:48 +0300, Dotan Cohen wrote: Could you please expand on this a bit please. I'm not sure that I understand the relevance. If there is some fine document that I should be reading then a link to it would be appreciated. I like to read the fine manual, but for this hole in my knowledge I'm not sure which manual I should be reading. tcpd(8) will start you off. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506114557.GK13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 14:45, Brian a...@cityscape.co.uk wrote: Could you please expand on this a bit please. I'm not sure that I understand the relevance. If there is some fine document that I should be reading then a link to it would be appreciated. I like to read the fine manual, but for this hole in my knowledge I'm not sure which manual I should be reading. tcpd(8) will start you off. Thanks. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTikSsO3q4gQvMDSq46PrsYxe9=h...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 13:48:23 +0300, Dotan Cohen wrote: However, keys are good to prevent brute-force attacks. Think of it like a 256-character password using the entire ASCII field. Also, keys are not susceptible to keyloggers. I'm unsure whether you mean 'prevent' because neither keys nor passwords can stop brute forcing attempts. If you mean a key (256 characters) is stronger than a password (20 characters) I'd agree. But the key is no more secure than the password. Not unless the attacker has considerably more than the allotted three score years and ten to look forward to. George may be past caring by then, though. Keyloggers would get the key passphrase too. And the USB stick would have its contents pilfered. So, keys don't appear to give any advantage over passwords on an untrusted machine. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506120852.GL13057@desktop
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 12:23, George pinkisntw...@gmail.com wrote: No, the attacker needs to HAVE your private key and KNOW the pass phrase for that key. Assuming you keep your key secure and have a decent pass phrase his life should be very difficult indeed. He still needs to guess a string, just like he does when password authentication is used. What am I missing? Probably a lot, but I'm not very experienced in security matters. That is why the key is something you KNOW, not something you HAVE. If one can capture your password locally, then one can capture your key locally. However, keys are good to prevent brute-force attacks. Think of it like a 256-character password using the entire ASCII field. Also, keys are not susceptible to keyloggers. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTikoL+rPheqECU3136r8k=nwijx...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 04:51:16 -0700, cac...@quantum-sci.com wrote: On Friday 6 May, 2011 02:13:52 Brian wrote: A strong password is no less secure in brute force terms than a key so there is no reason to disallow it on those grounds. You can also be sure you have never left it at home or elsewhere. What you're missing is the difference between someone trying to hack from the client machine... and a remote script trying to brute-force your server. Big difference. No I'm not. But please explain the difference, bearing in mind the complete ineffectiveness of remote scripts and the length of time needed to guess even a 15 character password. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506121523.GM13057@desktop
Re: OT: Safe to access SSH server from work?
On Friday 6 May, 2011 05:15:23 Brian wrote: What you're missing is the difference between someone trying to hack from the client machine... and a remote script trying to brute-force your server. Big difference. No I'm not. But please explain the difference, bearing in mind the complete ineffectiveness of remote scripts and the length of time needed to guess even a 15 character password. Yes. You are. To allow passwords for remote login, makes it possible for every SSH worm crawling around out there to try and try until it gets it right. And there are lots of them. And no, they -are- effective. To disable passwords on the server and use a key, means you are asked for a password at the client, to open the key, and then once authenticated the key goes on to authenticate with the server. Scripts banging away passwords on the server can never succeed. Users on the client machine must have the key's password or they can't use it. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105060550.22165.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
On Fri, May 6, 2011 at 15:08, Brian a...@cityscape.co.uk wrote: On Fri 06 May 2011 at 13:48:23 +0300, Dotan Cohen wrote: However, keys are good to prevent brute-force attacks. Think of it like a 256-character password using the entire ASCII field. Also, keys are not susceptible to keyloggers. I'm unsure whether you mean 'prevent' because neither keys nor passwords can stop brute forcing attempts. If you mean a key (256 characters) is stronger than a password (20 characters) I'd agree. But the key is no more secure than the password. Not unless the attacker has considerably more than the allotted three score years and ten to look forward to. George may be past caring by then, though. Agreed, a strong password is good enough to prevent a brute force attack for all practical purposes. Keyloggers would get the key passphrase too. Useless without the key itself. And the USB stick would have its contents pilfered. Agreed. So, keys don't appear to give any advantage over passwords on an untrusted machine. Agreed that for purposes of saying nothing was taken then the key gives not advantage. However, if the machine is only pilfering USB contents (unlikely) or only has a keylogger (actually very likely) then using a key will mitigate. -- Dotan Cohen http://gibberish.co.il http://what-is-what.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/banlktin0nvnl70zynrgvfqs2n1hijx+...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Friday 6 May, 2011 05:08:52 Brian wrote: I'm unsure whether you mean 'prevent' because neither keys nor passwords can stop brute forcing attempts. If you mean a key (256 characters) is stronger than a password (20 characters) I'd agree. But the key is no more secure than the password. Not unless the attacker has considerably more than the allotted three score years and ten to look forward to. George may be past caring by then, though. Can't you see what a difference the number and nature of characters means? It's the difference between 10 years and a million years. Keyloggers would get the key passphrase too. And the USB stick would have its contents pilfered. So, keys don't appear to give any advantage over passwords on an untrusted machine. Can't you see the difference between the unlikeliness of a malevolent hacker actually at the client machine, and one out there on The Internets? It's the difference between your cubicle buddy Bob, and the Russians and Chinese. No sir. Keys are far more secure. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105060554.29076.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
On Fri, May 06, 2011 at 01:08:52PM +0100, Brian wrote: Keyloggers would get the key passphrase too. And the USB stick would have its contents pilfered. So, keys don't appear to give any advantage over passwords on an untrusted machine. For the connect from untrusted computers there are one-time-passwords. I've used libpam-opie in the past with great success for the occasional connection from internet cafe's for example. Cheers Wolfgang -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506131122.ga7...@lenny.spiney.org
Re: OT: Safe to access SSH server from work?
On 06/05/11 15:11, Wolfgang Karall wrote: On Fri, May 06, 2011 at 01:08:52PM +0100, Brian wrote: Keyloggers would get the key passphrase too. And the USB stick would have its contents pilfered. So, keys don't appear to give any advantage over passwords on an untrusted machine. combined with `cryptographic smart card', it is great. For the connect from untrusted computers there are one-time-passwords. I've used libpam-opie in the past with great success for the occasional connection from internet cafe's for example. Cheers Wolfgang Jerome -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc3f520.8060...@rezozer.net
Re: OT: Safe to access SSH server from work?
Hello List ! For the connect from untrusted computers there are one-time-passwords. I've used libpam-opie in the past with great success for the occasional connection from internet cafe's for example. By googling, I found this web page: http://andrewho.co.uk/weblog/securing-authentication-in-debain-with-opie Accordingly smart phone can be used to get the One Time Password. Jerome -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc414d7.8010...@rezozer.net
Re: OT: Safe to access SSH server from work?
On 05/06/2011 02:50 PM, cac...@quantum-sci.com wrote: On Friday 6 May, 2011 05:15:23 Brian wrote: What you're missing is the difference between someone trying to hack from the client machine... and a remote script trying to brute-force your server. Big difference. No I'm not. But please explain the difference, bearing in mind the complete ineffectiveness of remote scripts and the length of time needed to guess even a 15 character password. Yes. You are. To allow passwords for remote login, makes it possible for every SSH worm crawling around out there to try and try until it gets it right. And there are lots of them. And no, they -are- effective. To disable passwords on the server and use a key, means you are asked for a password at the client, to open the key, and then once authenticated the key goes on to authenticate with the server. Scripts banging away passwords on the server can never succeed. Users on the client machine must have the key's password or they can't use it. not that easy , scripts which block bots like denyhosts or pam-abl http://pam-abl.deksai.com/ make life of the bots much harder Regards , Alex -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc4199f.6010...@biotec.tu-dresden.de
Re: OT: Safe to access SSH server from work?
Hi folks On 06/05/11 16:33, Jerome BENOIT wrote: Hello List ! For the connect from untrusted computers there are one-time-passwords. I've used libpam-opie in the past with great success for the occasional connection from internet cafe's for example. By googling, I found this web page: http://andrewho.co.uk/weblog/securing-authentication-in-debain-with-opie I'm looking at controlled remote access via ssh too, so these posts have been very interesting to me. However, libpam-opie seems to have been dropped by Debian after squeeze, due to lack of support, some security issues, and no updates for quite a few years. I run Wheezy, is there a supported alternative to libpam-opie? -- Dom -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc41b12.30...@rpdom.net
Re: OT: Safe to access SSH server from work?
On Thu, 5 May 2011, Rob Owens wrote: I hesitate to mention this, because it will start an argument about security through obscurity, but you can run your ssh server on a port other than 22. It really does nothing for security, but it will keep your firewall logs a lot cleaner because it avoids pesky scripts that circulate the internet, trying to brute force ssh servers. Hi Rob. I'm glad you mentioned that it doesn't do anything for security. Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port on any host and never been terribly worried about the state of the logs as a result. Changing the port is only really viable for home servers. It can't reliably be done on any service used by a lot of people anymore than you can do this for any other service. You could of course do this if you are using SRV records (if the client supports it) but then you throw away the obscurity aspect anyway. The idea of changing the port number for SSH seems to stem from the idea that SSH is somehow more dangerous to run than another service and so needs special treatment. I think this idea comes from the fact that a successful SSH login will give you a shell and that sounds a bit scary. The thing to remember is that exploits of other network services normally involve the execution of arbitrary code. And what is the arbitrary code that they run? It is often a shell. Most Linux systems will be using OpenSSH which comes from the OpenBSD project. It is likely the best audited code on many Linux systems and is thus likely to be less of a threat to system security than running many other services. Treat all network services as a potential threat whether they are designed to give you a shell or not. Keep the system patched, restrict access to the service to legitimate users if you can, and follow best practice for locking down each service. [1] I've been using SSH since 1996 or 1997. Cheers, Rob -- Email: rob...@timetraveller.org Linux counter ID #16440 IRC: Solver (OFTC Freenode) Web: http://www.practicalsysadmin.com Contributing member of Software in the Public Interest (http://spi-inc.org/) Open Source: The revolution that silently changed the world -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1105070154560.7...@castor.opentrend.net
Re: OT: Safe to access SSH server from work?
On Fri, 6 May 2011, Brian wrote: A strong password is no less secure in brute force terms than a key so Oh yes it is. A strong password may take a very long time to brute force, but that isn't what you said. Breaking an arbitrarily long key pair is regarded as being cryptographically infeasible. That means it isn't practical for anyone to even undertake the attack. So how long does the key need to be? That changes with time due to advances in computer hardware. Right now attacks against 1024 bit RSA keys may be cryptographically feasible. So use a longer key if you fear you may be subject to a sustained brute force attack[1]. [1] Hint: home users are probably not the targets here :) Cheers, Rob -- Email: rob...@timetraveller.org Linux counter ID #16440 IRC: Solver (OFTC Freenode) Web: http://www.practicalsysadmin.com Contributing member of Software in the Public Interest (http://spi-inc.org/) Open Source: The revolution that silently changed the world -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.2.00.1105070225570.7...@castor.opentrend.net
Re: OT: Safe to access SSH server from work?
Robert Brockway rob...@timetraveller.org wrote: Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port on any host and never been terribly worried about the state of the logs as a result. I tend to take a different view: if I can get rid of rubbish from the logs then it makes it easier for a log scanner (or me) to see potentially important issues - there's less potential for a false positive. Changing the port is only really viable for home servers. It can't reliably be done on any service used by a lot of people anymore than you can do this for any other service. At work we run public ssh service on one tightly controlled system. Actually, that system is configured to use certificate based login, and the only thing that such accounts can run is sftp. We also use IP based ACLs within the ssh configuration to help ensure that internal system accounts cannot be used to login to this box from outside the network. This is on port 22, although given the amount of hassle we've had getting our customers to use sftp instead of FTP, it would have been only a miniscule incremental change to insist on a different port. At home I run ssh on a different port (again with a certain amount of lock-down). The difference here is that there is no 24x7 IT Services group to monitor suspicious activity: there's only me. The idea of changing the port number for SSH seems to stem from the idea that SSH is somehow more dangerous to run than another service and so needs special treatment. In a skript kiddy world it is more dangerous as successful login does lead to a shell. You are right in that unpatched faulty services can also lead to a compromise, which is why a public facing system should run as few of them as possible. Most Linux systems will be using OpenSSH which comes from the OpenBSD project. It is likely the best audited code on many Linux systems and is thus likely to be less of a threat to system security than running many other services. Er, the Debian ssh flaw from a very few years ago still occasionally gets thrown at me, as part of some eeww, you run Linux, don't you FUD. [1] I've been using SSH since 1996 or 1997. Snap :-) Chris -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9btd98xu74@news.roaima.co.uk
Re: OT: Safe to access SSH server from work?
Hello, On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote: However, libpam-opie seems to have been dropped by Debian after squeeze, due to lack of support, some security issues, and no updates for quite a few years. I run Wheezy, is there a supported alternative to libpam-opie? A quick apt-cache search turns up libpam-otpw and otwp-bin available in sid, haven't used them (yet) though. Cheers Wolfgang -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506203739.ga25...@lenny.spiney.org
Re: OT: Safe to access SSH server from work?
On 06/05/11 22:37, Wolfgang Karall wrote: Hello, On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote: However, libpam-opie seems to have been dropped by Debian after squeeze, due to lack of support, some security issues, and no updates for quite a few years. I run Wheezy, is there a supported alternative to libpam-opie? A quick apt-cache search turns up libpam-otpw and otwp-bin available in sid, haven't used them (yet) though. http://motp.sourceforge.net/ but it seems taht there is no Debian support for it. Cheers Wolfgang -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc465f6.7040...@rezozer.net
Re: OT: Safe to access SSH server from work?
On 06/05/11 21:37, Wolfgang Karall wrote: Hello, On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote: However, libpam-opie seems to have been dropped by Debian after squeeze, due to lack of support, some security issues, and no updates for quite a few years. I run Wheezy, is there a supported alternative to libpam-opie? A quick apt-cache search turns up libpam-otpw and otwp-bin available in sid, haven't used them (yet) though. Thanks Wolfgang, I'll have a look at these :-) -- Dom -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc469af.9010...@rpdom.net
OT: Safe to access SSH server from work?
I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. What are the configuration steps that I will need to do on the server and the client to be able to work access the computer from my workplace? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTinFavrwh5NcWFcdJCE8+M-ja5=u...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
George: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. If you only allowing key-based authentication and install security patches in a timely manner, the risk from running a public OpenSSH server is low. Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. What are the configuration steps that I will need to do on the server You probably need to configure a port forwarding on your router to port 22 on the server running OpenSSH. Additionally, you may want to use a service like dyndns.com so that you can connect to your machine using a stable hostname instead of a dynamically changing IP address. and the client to be able to work access the computer from my workplace? On a Windows system, I recommend using PuTTY. You don't need any special configuration. Be aware that using SSH from an untrusted host is a bad idea. If you don't trust your employer, don't put your private key file one of his systems and don't enter your passphrase either. J. -- I wish I was gay. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: OT: Safe to access SSH server from work?
Hello List, On 05/05/11 23:14, George wrote: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. What are the configuration steps that I will need to do on the server and the client to be able to work access the computer from my workplace? Very briefly, on your home box: 0] install appropriate harden Debian packages; 1] set up a firewall (e.g, firehol Debian package); 2] in /etc/hosts.allow limit access to sshd accordingly (sshd: WORKPLACE IP); 3] configure the /etc/ssh/sshd_config to allow only a small set of users (sshd_config AllowUsers), basically only you; 4] use public keys rather than passwords. I guess that the list is incomplete, but it is certainly a good start. hth, Jerome -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc31aea.3080...@rezozer.net
Re: OT: Safe to access SSH server from work?
On May 5, 2011 10:15 PM, George pinkisntw...@gmail.com wrote: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. What are the configuration steps that I will need to do on the server and the client to be able to work access the computer from my workplace? Forward port 22. Disable password based login to SSH. Install denyhosts. Run ssh-keygen on your work computer and copy the public key securely into authorized_keys on your home PC. For starters that should be fairly secure. David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTinFavrwh5NcWFcdJCE8+M-ja5=u...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote: If you only allowing key-based authentication and install security patches in a timely manner, the risk from running a public OpenSSH server is low. Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. What exactly is a key login? The computer that needs to be accessed is running Windows and I have installed WinSSHD on it. I see a DSA host key on its configuration screen, accompanied by an MD5 fingerprint. When I connected to it from my Debian box I received the aforementioned fingerprint. Is this process the key login you're referring to? I'm asking because in the configuration screen of WinSSHD there's also an indication of No RSA host key is currently employed. What is the difference between the two keys? Do I need to use both of them to be safe when accessing from the Internet? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/BANLkTi=qgum0ibnxhnaswwzfdu7d1pz...@mail.gmail.com
Re: OT: Safe to access SSH server from work?
On Fri 06 May 2011 at 00:14:36 +0300, George wrote: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. You can be confident that the default Debian install of openssh-server has a configuration which is very safe. There is nothing for you to do. What are the configuration steps that I will need to do on the server and the client to be able to work access the computer from my workplace? Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110505220902.GF13057@desktop
Re: OT: Safe to access SSH server from work?
On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105051546.27573.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
come with your own machine, presumably a laptop ? On 06/05/11 00:46, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc32a38.5050...@rezozer.net
Re: OT: Safe to access SSH server from work?
On 05/05/11 23:43, Jochen Schulz wrote: George: I have a computer at home that I'm doing some research on and I set up an SSH server on it so I can access it from other computers at home. I haven't opened up the network to the internet yet though, as I'm not confident enough that it is safe. If you only allowing key-based authentication and install security patches in a timely manner, the risk from running a public OpenSSH server is low. Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. What are the configuration steps that I will need to do on the server You probably need to configure a port forwarding on your router to port 22 on the server running OpenSSH. Additionally, you may want to use a service like dyndns.com so that you can connect to your machine using a stable hostname instead of a dynamically changing IP address. see ddclient Debain package: http://packages.debian.org/squeeze/ddclient and the client to be able to work access the computer from my workplace? On a Windows system, I recommend using PuTTY. You don't need any special configuration. Be aware that using SSH from an untrusted host is a bad idea. If you don't trust your employer, don't put your private key file one of his systems and don't enter your passphrase either. J. -- Jerome BENOIT jgmbenoit-at+rezozer*dot_net -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc31ba3.90...@rezozer.net
Re: OT: Safe to access SSH server from work?
On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote: Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. And how is that done? When I set /etc/ssh/sshd_config|PasswordAuthentication no I get 'Connection reset by server'. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105051524.13252.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
http://wiki.debian.org/ssh#ssh_without_password On 06/05/11 00:24, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote: Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. And how is that done? When I set /etc/ssh/sshd_config|PasswordAuthentication no I get 'Connection reset by server'. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc33103.7010...@rezozer.net
Re: OT: Safe to access SSH server from work?
I know all that. But it still will ask for a password if you do not have the key, and thus is open to brute-force. On Thursday 5 May, 2011 16:21:39 Jerome BENOIT wrote: http://wiki.debian.org/ssh#ssh_without_password On 06/05/11 00:24, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote: Expect brute-force attempts to login using weak passwords, though. If you only allow key logins, you can ignore that. And how is that done? When I set /etc/ssh/sshd_config|PasswordAuthentication no I get 'Connection reset by server'. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105051657.05024.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? I suppose you could keep your public key with you on a USB drive and only put it on the computer when you need it, however I'm not sure how secure that would be :/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc33d8f.2020...@yahoo.fr
Re: OT: Safe to access SSH server from work?
On Thursday 5 May, 2011 17:15:11 Perry Thompson wrote: On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? I suppose you could keep your public key with you on a USB drive and only put it on the computer when you need it, however I'm not sure how secure that would be :/ I've just found that it is recommended to always set a passphrase when generating a key. This makes it useless to someone else who tries to use it. The passphrase is evaluated on the client, rather than the server. Brute-force attempts can never succeed. I've also found that indeed to shut off passwords on the server it is sshd_config|PasswordAuthentication no.But you must remember that this shuts you out when on a machine that's not in the server's authorized_keys. And it's good practice to generate a key on each client and put that in the server's authorized_keys, rather than using all the same key. So if one machine is compromised, the rest won't be. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201105051732.03420.cac...@quantum-sci.com
Re: OT: Safe to access SSH server from work?
On Thu, May 05, 2011 at 03:46:27PM -0700, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? You could run Debian Live on a USB stick (or any other live distro, really). Boot your work machine with that, and you will have a trusted machine. Use that to ssh to your home machine. And follow the advice that others have already given you. Specifically, disallow password authentication. That is a biggie. Even if you have a strong password, others on your home machine may not. As already said, you can use AllowUsers in sshd_config to allow only specific users to have ssh access. I hesitate to mention this, because it will start an argument about security through obscurity, but you can run your ssh server on a port other than 22. It really does nothing for security, but it will keep your firewall logs a lot cleaner because it avoids pesky scripts that circulate the internet, trying to brute force ssh servers. -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506005412.gd17...@aurora.owens.net
Re: OT: Safe to access SSH server from work?
* On 2011 05 May 19:56 -0500, Rob Owens wrote: I hesitate to mention this, because it will start an argument about security through obscurity, but you can run your ssh server on a port other than 22. It really does nothing for security, but it will keep your firewall logs a lot cleaner because it avoids pesky scripts that circulate the internet, trying to brute force ssh servers. There is the case where the ISP to your home server blocks port 22. In such case simply set the server's port to something memorable such as 4022 or some such and adjust your firewall(s), port forwarding, and destination port from the client to suit. It's unlikely that high ports above 1024 will be blocked. I use PuTTY and had to play with some screen related settings to get Mutt to display graphics characters correctly. On the whole the setup works very well. And yes I do use public key access only and have for several years. - Nate -- The optimist proclaims that we live in the best of all possible worlds. The pessimist fears this is true. Ham radio, Linux, bikes, and more: http://www.n0nb.us -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110506013802.gb25...@n0nb.us
Re: OT: Safe to access SSH server from work?
On 06/05/11 02:54, Rob Owens wrote: On Thu, May 05, 2011 at 03:46:27PM -0700, cac...@quantum-sci.com wrote: On Thursday 5 May, 2011 15:09:02 Brian wrote: Use a strong password or ssh keys for access to the server. The question is whether you trust the machine you use at work. OK, say you -don't- trust your machine at work. Workarounds? You could run Debian Live on a USB stick (or any other live distro, really). Boot your work machine with that, and you will have a trusted machine. Use that to ssh to your home machine. And follow the advice that others have already given you. Specifically, disallow password authentication. That is a biggie. Even if you have a strong password, others on your home machine may not. As already said, you can use AllowUsers in sshd_config to allow only specific users to have ssh access. I hesitate to mention this, because it will start an argument about security through obscurity, but you can run your ssh server on a port other than 22. It really does nothing for security, but it will keep your firewall logs a lot cleaner because it avoids pesky scripts that circulate the internet, trying to brute force ssh servers. A good point about this is that it allows to set up easily the port table of your home router as a route table: the flow can be directed to computers according to the port of the flow. In particular, you can direct the port 22 to a dummy computer, and you obscure port to your important computer. Jerome -Rob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4dc357ee.1080...@rezozer.net