> [...] Using
> a short passphrase and a key agent that forgets the passphrase
> immediately with public key authentication is still better than being
> botnet attacked for months on end.
Heh. This touches on the other part of my paranoia with PKI; the
short passphrase. Imagine that your passphrase encrypted key gets
loose in the wild.[1] At that point, you can brute force the file
without anyone knowing you are doing it. No matter how many thousands
of bits the key itself is, if the passphrase is simple or small
enough, there is a possibility of it being decrypted. Whereas, if you
are doing the password checking during the login process, if a failure
happens, it is logged and you have a chance of seeing the attack
before to many guesses of the password can be made.
I agree that the script kiddie login attempts are annoying. But they
are not likely to succeed if you use password best practices. And if
you are really worried about them, and cannot lock down the ssh port
to known remote hosts, using a port knocker of some sort is an easy
way to only open the port when needed.
As someone else said, 2 factor auth (something you have plus something
you know) is still the best thing to do, but if you don't do that, and
need to open ssh to the public, local password is my preference over
keys.
-Tom
[1] Using the stroll to the kitchen example again, if you forget to
lock your screen, and someone gets to the machine before the 2 minute
auto kick in of auto screen locker, they can easily open a terminal
and run a curl command to upload the public key[2] from your machine.
[2] If you are using security by obscurity, while in the daemon rc
file to change the port number, you should also change the default
location of the public key file.
_______________________________________________
BLUG mailing list
BLUG@linuxfan.com
http://mailman.cs.indiana.edu/mailman/listinfo/blug
No comments:
Post a Comment