[kwlug-disc] Tightening up SSH

unsolicited unsolicited at swiz.ca
Mon Jul 19 23:46:48 EDT 2010



Lori Paniak wrote, On 07/19/2010 11:29 PM:
> On Mon, 2010-07-19 at 22:55 -0400, unsolicited wrote:
>> Darcy Casselman wrote, On 07/19/2010 10:50 PM:
>>> On Mon, Jul 19, 2010 at 9:41 PM, unsolicited <unsolicited at swiz.ca> wrote:
>>>> Darcy Casselman wrote, On 07/19/2010 9:12 AM:
>>>>> Along with previous suggestions, I'd recommend switching to a
>>>>> non-standard port.  It's not really security against a determined
>>>>> attacker, but it cuts out 99.99% of the random Internet drive-bys.
>>>> Could you tell me the source of this statistic please?
>>> Sure! I made it up.
>>>
>>>> Save yourself the irritation. Particularly when you run into a
>>>> firewall that lets you talk out to known ports, but not weird ones.
>>> No worries.  I'm not going to forget mine.  And, like Khalid said, you
>>> can put it in your .ssh/config
>> That implies one is only ever using their own equipment, to hand, to 
>> access their systems remotely. Part of the allure of remote access is 
>> remote access from anywhere, any time, from any equipment.
>>
> 
> Through any password sniffer.  
> 
> If you access your system remotely from insecure hardware, you are
> asking for trouble.  It does not matter how complex your password is,
> your ssh port number or what kind of encryption you used on your USB
> key, on a malicious system you are compromised. I don't think there is a
> reasonably safe way to use questionable hardware short of rebooting the
> system into your own USB distro.

I didn't say don't use keys.

By your argument, and I presume you use a password to log in to your 
own laptop, you should not be using your own laptop. Keys or no.




More information about the kwlug-disc mailing list