[H-GEN] How safe is SSH on the internet?
Jason Parker-Burlingham
jasonp at panix.com
Sun Jun 29 22:33:04 EDT 2003
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
Stuart Longland <stuartl at longlandclan.hopto.org> writes:
> Christopher Biggs wrote:
> | Heed Mark's suggestion to prohibit SSH v1 (allowing only v2), also
> | consider using RSA or DSA authentication instead of passwords, or even
> | S-key.
>
> I could set up a set of keys on my USB hard drive (which has Cygwin
> installed), but otherwise, I'm edgey about having to rely solely on SSH
> keys for authentication as it means trying to install them onto a miriad
> of different clients.
S-key is very likely to be what you want. After setting it up you get
a list of passphrases which can be used to log into the machine.
They're pretty simple ("ONE OCEAN FOREST APPLE DATUM" might be such a
phrase) but you work your way down the list from the first to last,
never using the same passphrase twice. So even if someone does sniff
the passphrase---unlikely with SSH!---it will not help them at all.
For what it's worth I keep port 22 accessible to the general internet
and when I travel, I keep a copy of my keys---generated specially for
the trip I'm taking---and PuTTY on a floppy disk, which never leaves
my person. For occasional use I'm usually content to just
authenticate with my password.
jason, and why are you allowing a user with a weak password to keep
using it? Oh, and you'll also need to keep a sharp eye on
OpenSSL vulnerabilities---I warrant we haven't seen the last of
*those*.
--
Stay up-to-date on what I'm doing lately:
http://www.panix.com/~jasonp
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list