Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Jun 2009 17:12:59 +0200
From:      cpghost <cpghost@cordula.ws>
To:        Erik Norgaard <norgaard@locolomo.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Best practices for securing SSH server
Message-ID:  <20090624151259.GA2367@phenom.cordula.ws>
In-Reply-To: <4A423D19.4050602@locolomo.org>
References:  <b6c05a470906221816l4001b92cu82270632440ee8a@mail.gmail.com> <4A406D81.3010803@locolomo.org> <b6c05a470906230653i6ce647c1p415e769b63d9e169@mail.gmail.com> <4A4109DE.3050000@locolomo.org> <b6c05a470906231311q48a56fddk77b456dc29695ed3@mail.gmail.com> <4A413CF8.60901@locolomo.org> <20090624143613.6a87a749@gumby.homeunix.com> <4A422FCB.2050900@locolomo.org> <20090624140221.GA1974@phenom.cordula.ws> <4A423D19.4050602@locolomo.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 24, 2009 at 04:50:01PM +0200, Erik Norgaard wrote:
> cpghost wrote:
> > On Wed, Jun 24, 2009 at 03:53:15PM +0200, Erik Norgaard wrote:
> > But port knocking can be useful and provide more security *if* you
> > modify the kocking sequence algorithmically and make it, e.g. a
> > function of time, source IP/range (and other factors). This could
> > prevent a whole class of replay-attacks.
> > 
> > Of course, you can modify the keys/passwords algorithmically and
> > make them a function of time, source IP etc. as well... ;-)
> 
> I don't think it's worth wasting time trying to repair a conceptually 
> bad idea, in particular when there are so many alternatives.
> 
> Whichever way you turn around this idea, it boils down to a shared 
> secret. The security of a shared secret is inversely proportional to the 
> people knowing it, while the trouble of changing it is proportional to 
> the number knowing it.
> 
> You've already got individual passwords in place. If your knock 
> sequence/shared secret is randomly chosen of say 1 million (any number 
> will do for the example) won't you get better security increasing the 
> entropy of the individual passwords equivalently?

Agreed.

> > And while we're at it: how about real OPIE? Or combining SSH keys,
> > OPIE, and port knocking?
> 
> What is the easier solution: implement port knocking or doubling the 
> length of your ssh keys?

It all boils down to this: do you login from a secure machine
or not? Each tool has its own set of uses. When I want to log in
from a public terminal, I prefer OPIE; when I log in from home,
I prefer SSH keys. Port knocking is an interesting technique, but
as you pointed out, its only useful on machines with very few
accounts.

> Each of the technologies you mention can be tuned for higher security 
> using longer passwords, checking entropy when people choose a new 
> password, more ports in the range of your combination, more knocks etc.
> 
> I don't get why you wish to combine different technologies rather than 
> tune the well tested and tried already implemented out of the box 
> methods for higher security.

I totally agree.

> BR, Erik
> 
> -- 
> Erik N?rgaard
> Ph: +34.666334818/+34.915211157                  http://www.locolomo.org

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090624151259.GA2367>