[H-GEN] How safe is SSH on the internet?

[Jason Parker-Burlingham]

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Stuart Longland <stuartl at longlandclan.hopto.org> writes:

> Christopher Biggs wrote:
> | Heed Mark's suggestion to prohibit SSH v1 (allowing only v2), also
> | consider using RSA or DSA authentication instead of passwords, or even
> | S-key.
>

> 	I could set up a set of keys on my USB hard drive (which has Cygwin
> installed), but otherwise, I'm edgey about having to rely solely on SSH
> keys for authentication as it means trying to install them onto a miriad
> of different clients.

S-key is very likely to be what you want.  After setting it up you get
a list of passphrases which can be used to log into the machine.
They're pretty simple ("ONE OCEAN FOREST APPLE DATUM" might be such a
phrase) but you work your way down the list from the first to last,
never using the same passphrase twice.  So even if someone does sniff
the passphrase---unlikely with SSH!---it will not help them at all.

For what it's worth I keep port 22 accessible to the general internet
and when I travel, I keep a copy of my keys---generated specially for
the trip I'm taking---and PuTTY on a floppy disk, which never leaves
my person.  For occasional use I'm usually content to just
authenticate with my password.

jason, and why are you allowing a user with a weak password to keep
       using it?  Oh, and you'll also need to keep a sharp eye on
       OpenSSL vulnerabilities---I warrant we haven't seen the last of
       *those*.
-- 
Stay up-to-date on what I'm doing lately:
                                 http://www.panix.com/~jasonp

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/