Re: Request for a Lockdown option

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 04.07.24 01:41, Manon Goo wrote:
  	-  some users private keys are lost

Then you go and remove the corresponding pubkeys from wherever they're configured.

Seriously, even if you do not scan which pubkey is configured where *now* (as is part of our usual monitoring), it'll be your "number <3" task *then* to go hunt it down.

And you want to lock down the sshd and investigate and fix the problem

Then block SSH wherever you can *except* for a jump host that you set up with a known good version and grant your fellow sysadmins access to. "Lock down sshd 'cause it's dubitable" and "trust a rarely-used mechanism inside it to do so" don't mix - after all, the backdoor of CVE-2024-3094 allowed the attacker to bypass *some* of the normal crypto routines, too.

(And since you mention "port knocking", I'd like to repeat how fond I am of upgrading that original concept to a single-packet crypto-armored implementation like fwknop.)

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux