best practice for locking down private jail?
Matthew Seaman
matthew at FreeBSD.org
Thu Dec 3 08:23:04 UTC 2015
On 03/12/2015 07:39, Polytropon wrote:
> Oh, and regarding SSH with keys: You can force keys _and_ a
> password. Educate the user what a secure password is, and make
> him understand "password hygiene". So even if someone is able
> to get his SSH keys, the attacker cannot get access without the
> password (which is to be provided interactively, not stored in
> plain text in some configuration or history file, of course).
Keys *and* a password doesn't offer any additional security over just
keys alone. Of course, your keys for interactive use should be secured
with a passphrase -- this is used to encrypt and decrypt the private key
using a symmetric cipher, so that even if an attacker is able to steal
the private key, it is unfeasible for them to be able to decrypt it.
That passphrase is prompted for during the ssh login very similarly to
the way a password is prompted for[*].
As far as I know, there is no way server side to enforce the use of a
key that has been protected with a passphrase, and there are good and
legitimate reasons to want to use passphrase-less keys for various purposes.
One thing I'd certainly recommend is tightening up the SSH configuration
to ensure you're using the best available crypto. There are, for
instance, known problems with dss keys used with moduli of 1024 bits or
less. See --
https://weakdh.org/
Here's a very thorough guide to locking down SSH. It's probably
overkill for most users though:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
Cheers,
Matthew
[*] Although personally I use an ssh agent -- gpg-agent from gnupg2 --
so I only get prompted for the passphrase occasionally. Which is a real
sanity saver considering how frequently I'm logging into various
different machines.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 957 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20151203/8774f2b6/attachment.bin>
More information about the freebsd-questions
mailing list