On Sat, 14 May 2011 23:15:33 +0900
Joel Rees joel.r...@gmail.com wrote:
...
Disable root login on ssh entirely. (/etc/ssh/sshd_config has that
enabled in my more-or-less default install. That is, I think, so you
don't find yourself in a catch-22 when installing remotely. Should be
in a list
On Fri, May 6, 2011 at 6:14 AM, George pinkisntw...@gmail.com wrote:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident
On Jo, 05 mai 11, 23:09:02, Brian wrote:
You can be confident that the default Debian install of openssh-server
has a configuration which is very safe. There is nothing for you to do.
While I wouldn't say that the Debian (actually upstream?) configuration
is unsafe, there are ways to improve
2] in /etc/hosts.allow limit access to sshd accordingly (sshd: WORKPLACE
IP);
I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd
/ xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script
on debian?
On May 5, 2011 8:15 PM, Perry Thompson ryperven...@yahoo.fr wrote:
On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The
question
is whether you trust the machine you use at work.
George:
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote:
If you only allowing key-based authentication and install security
patches in a timely manner, the risk from running a public OpenSSH
server is low. Expect brute-force attempts to login using weak
passwords, though. If you only
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote:
You can authenticate to an OpenSSH server using a password, or using a
keyfile. On the client side, simply run 'ssh-keygen' to create a
keypair.
So the attacker needs to guess my private key instead of my password.
How does that make his
On Fri 06 May 2011 at 01:59:10 -0400, shawn wilson wrote:
I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd
/ xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script
on debian?
Daemons can also be linked against libwrap. sshd is (ldd
On Fri, May 06, 2011 at 11:54:28AM +0300, George wrote:
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote:
You can authenticate to an OpenSSH server using a password, or using a
keyfile. On the client side, simply run 'ssh-keygen' to create a
keypair.
So the attacker needs to guess
On 5/6/11, Tom Furie t...@furie.org.uk wrote:
So the attacker needs to guess my private key instead of my password.
How does that make his life more difficult, assuming my password was
very strong?
No, the attacker needs to HAVE your private key and KNOW the pass phrase
for that key.
Rob Owens row...@ptd.net wrote:
[...] you can run your ssh server on a port other than 22
I can thoroughly recommend this. Actually, to be pedantic, you can set
port forwarding from your router's port N to your server's port 22.
Other people have mentioned that you should put AllowUsers in your
On Thu 05 May 2011 at 20:54:12 -0400, Rob Owens wrote:
You could run Debian Live on a USB stick (or any other live distro,
really). Boot your work machine with that, and you will have a trusted
machine. Use that to ssh to your home machine.
I suppose this 'trusted machine' doesn't have a
On Fri 06 May 2011 at 02:06:17 -0400, shawn wilson wrote:
Something you have - thumb drive
Something you know - the ip / name of your machine
With an untrusted machine on a network you do not control both are
capable of becoming the property of someone else.
It's two factor enough imo.
On Fri 06 May 2011 at 11:54:28 +0300, George wrote:
So the attacker needs to guess my private key instead of my password.
How does that make his life more difficult, assuming my password was
very strong?
It is easy to construct a password which would take 10,000 years to
guess or brute force.
On Fri, May 6, 2011 at 09:06, shawn wilson ag4ve...@gmail.com wrote:
I suppose you could keep your public key with you on a USB drive and
only put it on the computer when you need it, however I'm not sure how
secure that would be :/
Something you have - thumb drive
Something you know - the
On Fri, May 6, 2011 at 12:02, Tom Furie t...@furie.org.uk wrote:
No, the attacker needs to HAVE your private key and KNOW the pass phrase
for that key. Assuming you keep your key secure and have a decent pass
phrase his life should be very difficult indeed.
Yes, but using that key on a
George:
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote:
You can authenticate to an OpenSSH server using a password, or using a
keyfile. On the client side, simply run 'ssh-keygen' to create a
keypair.
So the attacker needs to guess my private key instead of my password.
Exactly.
On Fri, May 6, 2011 at 12:13, Brian a...@cityscape.co.uk wrote:
You could run Debian Live on a USB stick (or any other live distro,
really). Boot your work machine with that, and you will have a trusted
machine. Use that to ssh to your home machine.
I suppose this 'trusted machine' doesn't
On Fri, May 6, 2011 at 11:43, Brian a...@cityscape.co.uk wrote:
I'm prepared to be wrong here but, aren't the hosts.* configs just for inetd
/ xinetd and (possibly) portmap? And, IIRC, ssh installs as an init script
on debian?
Daemons can also be linked against libwrap. sshd is (ldd
On Friday 6 May, 2011 02:13:52 Brian wrote:
A strong password is no less secure in brute force terms than a key so
there is no reason to disallow it on those grounds. You can also be sure
you have never left it at home or elsewhere.
What you're missing is the difference between someone trying
On Fri 06 May 2011 at 13:39:48 +0300, Dotan Cohen wrote:
Could you please expand on this a bit please. I'm not sure that I
understand the relevance. If there is some fine document that I should
be reading then a link to it would be appreciated. I like to read the
fine manual, but for this
On Fri, May 6, 2011 at 14:45, Brian a...@cityscape.co.uk wrote:
Could you please expand on this a bit please. I'm not sure that I
understand the relevance. If there is some fine document that I should
be reading then a link to it would be appreciated. I like to read the
fine manual, but for
On Fri 06 May 2011 at 13:48:23 +0300, Dotan Cohen wrote:
However, keys are good to prevent brute-force attacks. Think of it
like a 256-character password using the entire ASCII field. Also, keys
are not susceptible to keyloggers.
I'm unsure whether you mean 'prevent' because neither keys nor
On Fri, May 6, 2011 at 12:23, George pinkisntw...@gmail.com wrote:
No, the attacker needs to HAVE your private key and KNOW the pass phrase
for that key. Assuming you keep your key secure and have a decent pass
phrase his life should be very difficult indeed.
He still needs to guess a string,
On Fri 06 May 2011 at 04:51:16 -0700, cac...@quantum-sci.com wrote:
On Friday 6 May, 2011 02:13:52 Brian wrote:
A strong password is no less secure in brute force terms than a key so
there is no reason to disallow it on those grounds. You can also be sure
you have never left it at home or
On Friday 6 May, 2011 05:15:23 Brian wrote:
What you're missing is the difference between someone trying to hack from
the
client machine... and a remote script trying to brute-force your server.
Big
difference.
No I'm not. But please explain the difference, bearing in mind the
On Fri, May 6, 2011 at 15:08, Brian a...@cityscape.co.uk wrote:
On Fri 06 May 2011 at 13:48:23 +0300, Dotan Cohen wrote:
However, keys are good to prevent brute-force attacks. Think of it
like a 256-character password using the entire ASCII field. Also, keys
are not susceptible to keyloggers.
On Friday 6 May, 2011 05:08:52 Brian wrote:
I'm unsure whether you mean 'prevent' because neither keys nor passwords
can stop brute forcing attempts. If you mean a key (256 characters) is
stronger than a password (20 characters) I'd agree. But the key is no
more secure than the password. Not
On Fri, May 06, 2011 at 01:08:52PM +0100, Brian wrote:
Keyloggers would get the key passphrase too. And the USB stick
would have its contents pilfered. So, keys don't appear to give any
advantage over passwords on an untrusted machine.
For the connect from untrusted computers there are
On 06/05/11 15:11, Wolfgang Karall wrote:
On Fri, May 06, 2011 at 01:08:52PM +0100, Brian wrote:
Keyloggers would get the key passphrase too. And the USB stick
would have its contents pilfered. So, keys don't appear to give any
advantage over passwords on an untrusted machine.
combined with
Hello List !
For the connect from untrusted computers there are one-time-passwords.
I've used libpam-opie in the past with great success for the occasional
connection from internet cafe's for example.
By googling, I found this web page:
On 05/06/2011 02:50 PM, cac...@quantum-sci.com wrote:
On Friday 6 May, 2011 05:15:23 Brian wrote:
What you're missing is the difference between someone trying to hack from the
client machine... and a remote script trying to brute-force your server. Big
difference.
No I'm not. But
Hi folks
On 06/05/11 16:33, Jerome BENOIT wrote:
Hello List !
For the connect from untrusted computers there are one-time-passwords.
I've used libpam-opie in the past with great success for the occasional
connection from internet cafe's for example.
By googling, I found this web page:
On Thu, 5 May 2011, Rob Owens wrote:
I hesitate to mention this, because it will start an argument about
security through obscurity, but you can run your ssh server on a port
other than 22. It really does nothing for security, but it will keep
your firewall logs a lot cleaner because it avoids
On Fri, 6 May 2011, Brian wrote:
A strong password is no less secure in brute force terms than a key so
Oh yes it is. A strong password may take a very long time to brute force,
but that isn't what you said.
Breaking an arbitrarily long key pair is regarded as being
cryptographically
Robert Brockway rob...@timetraveller.org wrote:
Yes it would keep logs a bit cleaner. I've never[1] changed the ssh port
on any host and never been terribly worried about the state of the logs as
a result.
I tend to take a different view: if I can get rid of rubbish from the
logs then it
Hello,
On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote:
However, libpam-opie seems to have been dropped by Debian after squeeze,
due to lack of support, some security issues, and no updates for quite a
few years.
I run Wheezy, is there a supported alternative to libpam-opie?
A quick
On 06/05/11 22:37, Wolfgang Karall wrote:
Hello,
On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote:
However, libpam-opie seems to have been dropped by Debian after squeeze,
due to lack of support, some security issues, and no updates for quite a
few years.
I run Wheezy, is there a
On 06/05/11 21:37, Wolfgang Karall wrote:
Hello,
On Fri, May 06, 2011 at 05:00:18PM +0100, Dom wrote:
However, libpam-opie seems to have been dropped by Debian after squeeze,
due to lack of support, some security issues, and no updates for quite a
few years.
I run Wheezy, is there a supported
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.
What are the configuration steps that I will need to
George:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.
If you only allowing key-based
Hello List,
On 05/05/11 23:14, George wrote:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.
What
On May 5, 2011 10:15 PM, George pinkisntw...@gmail.com wrote:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough
On 5/6/11, Jochen Schulz m...@well-adjusted.de wrote:
If you only allowing key-based authentication and install security
patches in a timely manner, the risk from running a public OpenSSH
server is low. Expect brute-force attempts to login using weak
passwords, though. If you only allow key
On Fri 06 May 2011 at 00:14:36 +0300, George wrote:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say you -don't- trust your machine at work. Workarounds?
--
To UNSUBSCRIBE, email to
come with your own machine, presumably a laptop ?
On 06/05/11 00:46, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say you -don't-
On 05/05/11 23:43, Jochen Schulz wrote:
George:
I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.
On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote:
Expect brute-force attempts to login using weak
passwords, though. If you only allow key logins, you can ignore that.
And how is that done? When I set /etc/ssh/sshd_config|PasswordAuthentication
no I get 'Connection reset by server'.
--
http://wiki.debian.org/ssh#ssh_without_password
On 06/05/11 00:24, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote:
Expect brute-force attempts to login using weak
passwords, though. If you only allow key logins, you can ignore that.
And how is that done?
I know all that. But it still will ask for a password if you do not have the
key, and thus is open to brute-force.
On Thursday 5 May, 2011 16:21:39 Jerome BENOIT wrote:
http://wiki.debian.org/ssh#ssh_without_password
On 06/05/11 00:24, cac...@quantum-sci.com wrote:
On Thursday 5 May,
On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say you -don't- trust your machine at work. Workarounds?
I
On Thursday 5 May, 2011 17:15:11 Perry Thompson wrote:
On 05/05/2011 06:46 PM, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say
On Thu, May 05, 2011 at 03:46:27PM -0700, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say you -don't- trust your machine at work.
* On 2011 05 May 19:56 -0500, Rob Owens wrote:
I hesitate to mention this, because it will start an argument about
security through obscurity, but you can run your ssh server on a port
other than 22. It really does nothing for security, but it will keep
your firewall logs a lot cleaner
On 06/05/11 02:54, Rob Owens wrote:
On Thu, May 05, 2011 at 03:46:27PM -0700, cac...@quantum-sci.com wrote:
On Thursday 5 May, 2011 15:09:02 Brian wrote:
Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.
OK, say you
56 matches
Mail list logo