Re: ultrasecure sshd server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 6/10/2011 2:09 PM, Craig White wrote:
>
> On Jun 10, 2011, at 12:04 PM, Ljubomir Ljubojevic wrote:
>
>> Les Mikesell wrote:
>>
>>> That's just normal behavior when both are enabled.  If the key works,
>>> you don't get the password prompt.  But even in the 'ultrasecure'
>>> scenario of requiring both, do you really want people typing their
>>> passwords on equipment that might have a keylogger running?
>>>
>>
>> One scenario is business customers I maintain. They are almost all on my
>> network, and I have servers I maintain/admin 400 km away that are not
>> mine. When I am logged there, or on-site, I often need to pull some data
>> from my main server. Sometimes FTP is enough, but sometimes I need to
>> use SFTP or SCP to access sensitive scripts, or to login (when I am
>> on-site on far away network).
>>
>> How do you propose that I use key only auth? to copy my sensitive key
>> onto their system? Or is it better to in that case just use password
>> auth? I avoid using my passwords on infected systems, or without proper
>> protection, but on safe systems it is better to use passwords then keys.
>>
>> And of course, I have a brother with root access that does not own a
>> laptop. And if I even tried to force him to use keys for every
>> connection, I would have blue eye in matter of days ;-)
> ----
> put your private key(s) on a USB flash drive and use the '-i' option w/ ssh
>
> Heavily recommend that you use passwords to protect your keys though

If you knew someone was going to do that on a machine you controlled, 
would you be able to capture both the key and the password keystrokes?

A one-time password might be a better approach.  We use juniper's ssl 
vpn with keyfob cryptocards for remote connections but another part of 
the company maintains it and I don't know what it costs.

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux