Re: Re: Enabling SSHD

In reply to: Paul M Foster : "Re: Enabling SSHD"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: lain. <lain_at_fair.moe>
Date: Tue, 30 Jan 2024 05:06:51 UTC
On 2024年01月29日 08:47, the silly Paul M Foster claimed to have said:
> I certainly hope this is not the case. I've been running Linux for 30
> years, and am looking to transition to FreeBSD. If passwords are prohibited
> for SSH access, that would be a major reason for me not to pursue FreeBSD
> any further. FWIW, I disagree with the current fad of believing that
> passwords should be eliminated for everything. I believe passwords,
> properly implemented, are more than adequate for normal security. If you're
> trying to secure NSA servers or something, by all means eliminate
> passwords in favor of hardware keys or the like.
> 
> In any case, this doesn't provide any actual methods for resolving the
> current problem.
> 
> Paul

PGP keys are generally safer than passwords in the case of SSH.
If you have password-based authentication enabled, you'll get a password
prompt, which could be exploited if your password is known, or somebody
guessed it.
If you disable that and have key-based authentication instead, you can
only login from a machine that has the public and private keys
available, so if the NSA or some other criminal organization would try
to break in, they'll be greeted with a "permission denied".

If you're super paranoid, you can configure pf to only allow connections
to port 22 from specific hosts only on top of that.

I personally use 64 character long, randomly generated passwords with
lowercase, uppercase, digits, and special characters for each login, but
way too many people don't.
And unlike the well known 2FA stupidity, PGP keys can be generated and
configured on the remote server in just a few seconds.

By the way, if you use Git, you probably already have a PGP key.
However, if that Git server happens to be Microsoft Github or some
Gitea/Gitlab/Forgejo instance hosted behind Cloudflare or Fastly, better
generate separate PGP keys for each one of them, so you can easily
revoke access to bad actors while maintaining access to your own
servers.

-- 
lain.

Did you know that?
90% of all emails sent on a daily basis are being sent in plain text, and it's super easy to intercept emails as they flow over the internet?
Never send passwords, tokens, personal information, or other volunerable information without proper PGP encryption!

If you're writing your emails unencrypted, please consider sending PGP encrypted emails for security reasons.
You can find my PGP public key at: https://fair.moe/lain.asc

Every good email client is able to send encrypted emails.
If yours can't, then you should consider switching to a secure email client, because yours just sucks.

My recommendations are Claws Mail or NeoMutt.
For instructions on how to encrypt your emails:
https://unixsheikh.com/tutorials/gnupg-tutorial.html