New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Scroll back and read. At no point was I advocating password auth.
I get the impression, that this was the unintentional strawman you were arguing against.
Keys rule. Keep them on you at all times.
Firewalls keep the other random crap out. (don't use them as a crutch)
I'm going to address an old comment of yours now:
Depending on legal jurisdiction, LEA/stasi can force you to reveal keys or face jail/$5 spanner.
Not everyone is governed by US Bill of rights.
Here is where creativity can delay the oppression and give your side some time.
TLDR: I am both pro-keys and pro-obscurity. (in that exact order)
Not everyone is governed by US Bill of rights.
Here is where creativity can delay the oppression and give your side some time.
TLDR: I am both pro-keys and pro-obscurity. (in that exact order)
@joepie91 isn't governed by the US Bill of rights. He lives in the Netherlands. He just had copies of his keys I believe.
I get the impression, that this was the unintentional strawman you were arguing against.
Keys rule. Keep them on you at all times.
Firewalls keep the other random crap out. (don't use them as a crutch)
I wasn't arguing against passwords in that response. I was arguing against "a sequence of events".
Not everyone is governed by US Bill of rights.
Here is where creativity can delay the oppression and give your side some time.
Again, that's not what I was arguing about. You should really read the quotes better. I was responding very specifically to the suggestion of lost keys being a problem.
And that is what I am arguing against.
I didn't. I just recovered access to my servers through various control panels / VNCs and set a new key.
1) What's your take on port knocking secret sequences (to open :22 for 3 secs) ...
specifically, if paired with iptables port-scan detect-AND-block rules, on the host?
My thinking now goes... this would help increase the patch time-window against hypothetical Openssh zero-days, an order of magnitude better than a non-default ssh port.
(I guess the zero-day would have to be something that can cause buffer overflow even with key-auth ON .
a history of openssh vulns: http://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97)
2)In the case of a iptables whitelisted ssh-bastion-host, Is 2-factor auth (google?) worth looking at?
I believe that a conservative and standards based approach is the best. (insert well known reasons) Obscurity, although lots of fun, doesn't really work with that philosophy.
specifically, if paired with iptables port-scan detect-AND-block rules, on the host?
Given the limited port keyspace, it's very feasible to just distribute bruteforcing across a bunch of compromised machines, so that you don't hit such a portscan detection. Even if every attacker system only tried one port on a host, obtaining 65k compromised systems is not terribly hard.
Any attacker who either 1) portscans for SSH or 2) attempts to exploit a zeroday vulnerability is likely to be using the above approach.
(I guess the zero-day would have to be something that can cause buffer overflow even with key-auth ON .
a history of openssh vulns: http://www.cvedetails.com/product/585/Openbsd-Openssh.html?vendor_id=97)
That's an extremely rare edgecase. Sure, you could try to protect against that with the above approach, but I strongly doubt whether it's worth the trade-off of inconvenience and a (mostly false) sense of security.
Yeah, but not Google Authenticator. It's proprietary, unfortunately.
Also keep in mind the drawback of potentially making (semi-)automated processes over SSH harder, such as tunneling something else (like rsync) over it.
https://github.com/google/google-authenticator
I am aware. From the Android app README:
In other words, they've turned it proprietary, and the open-source version is unmaintained.
See also here.