[kwlug-disc] Tightening up SSH
Andrew Kohlsmith (mailing lists account)
aklists at mixdown.ca
Tue Jul 20 10:14:16 EDT 2010
On Monday, July 19, 2010 11:29:49 pm Lori Paniak wrote:
> Through any password sniffer.
>
> If you access your system remotely from insecure hardware, you are
> asking for trouble. It does not matter how complex your password is,
> your ssh port number or what kind of encryption you used on your USB
> key, on a malicious system you are compromised. I don't think there is a
> reasonably safe way to use questionable hardware short of rebooting the
> system into your own USB distro.
Password sniffers don't do jack with a key, although if you are using
passwordless key on a USB flash drive, they can just as easily grab your
private keyfile.
I guess we need a poor-man's RSA SecurID. We've all got cell phones, we could
have the remote box SMS us a one-time password. Of course, now we will only
be able to gain access when we've got cell signal.
Didn't some banks in Europe have a business card full of one-time passwords?
Are there hooks in the ssh protocol (and in Ubuntu) to receive a challenge
from the remote and display it to the user, gathering a response and sending
it back?
Hmm, now you have me thinking...
-A.
More information about the kwlug-disc
mailing list