[kwlug-disc] Tightening up SSH

Andrew Kohlsmith (mailing lists account) aklists at mixdown.ca
Tue Jul 20 10:14:16 EDT 2010


On Monday, July 19, 2010 11:29:49 pm Lori Paniak wrote:
> Through any password sniffer.
> 
> If you access your system remotely from insecure hardware, you are
> asking for trouble.  It does not matter how complex your password is,
> your ssh port number or what kind of encryption you used on your USB
> key, on a malicious system you are compromised. I don't think there is a
> reasonably safe way to use questionable hardware short of rebooting the
> system into your own USB distro.

Password sniffers don't do jack with a key, although if you are using 
passwordless key on a USB flash drive, they can just as easily grab your 
private keyfile.

I guess we need a poor-man's RSA SecurID.  We've all got cell phones, we could 
have the remote box SMS us a one-time password.  Of course, now we will only 
be able to gain access when we've got cell signal.

Didn't some banks in Europe have a business card full of one-time passwords? 
Are there hooks in the ssh protocol (and in Ubuntu) to receive a challenge 
from the remote and display it to the user, gathering a response and sending 
it back?

Hmm, now you have me thinking...

-A.





More information about the kwlug-disc mailing list