[H-GEN] Re: Blocking SSH exploits
bje at apnic.net
Mon Aug 23 01:05:04 EDT 2004
Robert Brockway wrote:
> I never allow ssh to be externally visible if it is accepting
> username/password access. Using ssh with some form of public key access
> only isn't hard but does require some pre-planning unless the list of
> locations you can to ssh from is fixed.
I just set up my ssh server today to require Opie one time passwords or
public keys from WAN hosts, while still allowing password authentication
from LAN hosts.
Anyone up to date on current thinking about the security of OTP systems?
Did I waste my time?
(As an aside, PAM doesn't actually allow you to provide different
policies based on any sort of connection class; in the end I said that
OTP auth was sufficient, but if that failed then the auth required both
a connection from a list of known hosts as well as the correct password.)
More information about the General