[H-GEN] Re: Blocking SSH exploits

[Byron Ellacott]

Robert Brockway wrote:
> I never allow ssh to be externally visible if it is accepting
> username/password access.  Using ssh with some form of public key access
> only isn't hard but does require some pre-planning unless the list of
> locations you can to ssh from is fixed.

I just set up my ssh server today to require Opie one time passwords or 
public keys from WAN hosts, while still allowing password authentication 
from LAN hosts.

Anyone up to date on current thinking about the security of OTP systems? 
  Did I waste my time?

(As an aside, PAM doesn't actually allow you to provide different 
policies based on any sort of connection class; in the end I said that 
OTP auth was sufficient, but if that failed then the auth required both 
a connection from a list of known hosts as well as the correct password.)

-- 
bje