Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Dec 2015 08:22:55 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: best practice for locking down private jail?
Message-ID:  <565FFBDF.40907@FreeBSD.org>
In-Reply-To: <20151203083926.72ad74db.freebsd@edvax.de>
References:  <CACcSE1yQO8AjW9rpY+d2p1-ArPbO4qKV0zcaCMyRhYEWLOpQGA@mail.gmail.com> <CACcSE1yqeXqd=mLJ-=aJGr0hXcUEE0v3MeiAty6e4cgpWF7D8g@mail.gmail.com> <20151203083926.72ad74db.freebsd@edvax.de>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 03/12/2015 07:39, Polytropon wrote:
> Oh, and regarding SSH with keys: You can force keys _and_ a
> password. Educate the user what a secure password is, and make
> him understand "password hygiene". So even if someone is able
> to get his SSH keys, the attacker cannot get access without the
> password (which is to be provided interactively, not stored in
> plain text in some configuration or history file, of course).

Keys *and* a password doesn't offer any additional security over just
keys alone.  Of course, your keys for interactive use should be secured
with a passphrase -- this is used to encrypt and decrypt the private key
using a symmetric cipher, so that even if an attacker is able to steal
the private key, it is unfeasible for them to be able to decrypt it.
That passphrase is prompted for during the ssh login very similarly to
the way a password is prompted for[*].

As far as I know, there is no way server side to enforce the use of a
key that has been protected with a passphrase, and there are good and
legitimate reasons to want to use passphrase-less keys for various purpos=
es.

One thing I'd certainly recommend is tightening up the SSH configuration
to ensure you're using the best available crypto.  There are, for
instance, known problems with dss keys used with moduli of 1024 bits or
less.  See --

   https://weakdh.org/

Here's a very thorough guide to locking down SSH.  It's probably
overkill for most users though:

   https://stribika.github.io/2015/01/04/secure-secure-shell.html

	Cheers,

	Matthew

[*] Although personally I use an ssh agent -- gpg-agent from gnupg2 --
so I only get prompted for the passphrase occasionally.  Which is a real
sanity saver considering how frequently I'm logging into various
different machines.


--VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2

iQJ8BAEBCgBmBQJWX/vfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC
QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATAoIQAI+OkXwLnArSZCJPV4BjFhFs
xn4J8xWjuifLH6UQGyiLUBv/IDmjgOS4rRA6OsV2hcLw0BWDDjElDTzmuHkxmlt4
+K2D4oK1j/1/fHNosxnMRKZDXJ6K5RmtSRSSgF7Tr0xWw9LUH6Bw5kscfWNxQaRd
w7Sc5oN7rABtIWJvS8YWq/QRTnmcw3OCVpzDIPQIc/nLrdQN4w/b+RjNPuiowICB
Jh49oKR4l1xTZARiZGfvrxtkKK5U5PnXnkFSsprlBNXxGwTEakc/LLHtETLEAePk
Iq3acB5BSZn9bgMsj+uyU5jrBlDCnlj8525WyJK+XyNKspIs0+wA22xzD6SIhnTp
glIo+K3S6/yNpX6FRfzWTX8HRSQB74QEivmI1e/76oVw6+gWD9vdHvdAO1kpLZvb
gavGOqfg/0j2dYAfcNu3Xxg6gTF+4MBS9MqnTTgvDE8JEFNUyBJGAuIxLoYUPQf/
cYkHYKR0Smwea+OLN80TL0p0tF2fIEQN+ufSkIa/eQnCmZnG3xLsHtjTwhFuzZCI
QjIatXTzFd/E4Ut4gbBSUTnY2XV0IO223AdL6INq61hAZfUYeuivL4h5IQTXzNJb
lc6fIXaUWKP2NWwCIO12fyc6HCdK3Nm6adTslmNcnVueUIThWChB5li4icVCqORa
u8/JdrOUrStkkC8/kzgH
=Gi4+
-----END PGP SIGNATURE-----

--VUACF76DMsWj81gXk6U0fsv0LXE0lHaSF--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?565FFBDF.40907>