New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
As do I.
Are you fucking serious? This should be your first task before you even configure the damn hostname to your liking, unless you've got an ancient version of OpenSSH that needs immediate replacement.
ssh-copy-i ... ok lets stick to the password this is too much
I use telnet and automate with expect - it automatically types me into the server when I type 't server'.. my wife helped setup the script.
Logwatch , fail2ban , geoblocking - firewalling. - No point in your ssh being globally avavaiable ...
... and then you watch it like a hawk.
.... but of course much easier to setup key based login ...
...and sshguard doesn't require installing Python for a single purpose.
"Let's block all those nasty ports and protocols, 67, 68, 546, 547, icmp, whatevah. Now I feel safe.
OK, now let's request some address/range with DHCP.
Oh my, why dis no work???
Holy cow, why u kick me out for flooding???"
@Shot2 for what it's worth, I endorse everyone in your sig- but I have yet to hear back from Stan..
You should only ever log in from your own systems. If that's "a pain", how many systems do you have exactly?
No, it wouldn't be? If somebody can access the system to grab the key from it, they can also just keylog your password. The only exception here is on eg. a laptop that gets nabbed from you while it's turned off, in which case...
How is that 'even more effort'? Setting a password on your key is a one-time operation (you're even asked at the moment you generate the keypair!), and for logging in you still only need a single password, namely that which the key is encrypted with, and which still doesn't get sent to the server.
This is a nonsensical argument.
This, too, is complete nonsense. Shared-key attacks can be carried out by literally any script kiddie, and this routinely happens. Only one server needs to be compromised (through any means that gives root access, not just SSH), and now whoever compromised it can also access everything else you have.
Using passwords for SSH is insecure, full stop. There are no ifs, there are no buts, and this is absolutely nothing to do with "military grade protection" or "state-level adversaries".
I'm not saying this is the cause. I'm just saying that this is a security issue that needs to be addressed.
Lost count.
There's quite a difference between someone grabbing something off disk and installing a keylogger. One is completely passive, the other leaves traces. For example, simply copying a file out of an OpenVZ container, or someone recovering data off a discarded disk are examples of being able to get the private key without installing keyloggers.
(besides, this assumes that a keylogger can capture the password)
No, you have to enter it every single time you log in, in addition to supplying flags etc to pull the key across (I don't use the same key for every server - I have my reasons for this).
I'm not aware of what you mean by such attacks. Would you be able to clarify?
How so? Are you assuming the same password is used everywhere?
[citation needed]
Just because you don't get a problem that doesn't mean it's secure,...
Better safe than sorry,...