Educause Security Discussion mailing list archives
Re: significant incoming SSH volume
From: Scott Beardsley <scott () CSE UCDAVIS EDU>
Date: Fri, 19 Mar 2010 09:41:17 -0700
While we are confident in the strength of our passwords, = as you know with enough effort.......
I didn't see anyone else mention this but it might be a good time to turn *off* password-based remote access. We have been requiring ssh public key based access to our research resources for a year or two. Evil haxors can try all they want to brute force us and they are mostly just wasting their time. Here is our usual setup: # rhosts? what are we using rlogin? RhostsRSAAuthentication no # passwords are sooooo 90's PasswordAuthentication no # use a centrally maintained ssh_know_hosts or dnssec SSHFP records IgnoreUserKnownHosts yes # meh host-based is OK for clusters though HostbasedAuthentication no IgnoreRhosts yes # OK now we're getting somewhere: PubkeyAuthentication yes # force all access through a centrally maintained list of keys. AuthorizedKeysFile /etc/ssh/users/%u.pub Note: a user must go through the administrator to change their public key. We typically store one pub key per user and check the keys against a list of "known bad" keys (including the debian blacklisted keys). Although we can't enforce it we stress the importance of having a strong passphrase protecting their private key and train folks on how to protect their private key (ie only install it on trusted machines, don't send it over email, etc). Good luck.. Scott
Current thread:
- Re: significant incoming SSH volume, (continued)
- Re: significant incoming SSH volume Edgmand, Craig (Mar 16)
- Re: significant incoming SSH volume Michael Horne (Mar 16)
- Re: significant incoming SSH volume Joel Rosenblatt (Mar 16)
- Re: significant incoming SSH volume John Kristoff (Mar 16)
- Re: significant incoming SSH volume Mike Iglesias (Mar 16)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 16)
- Re: significant incoming SSH volume Russell Fulton (Mar 17)
- Re: significant incoming SSH volume Dexter Caldwell (Mar 17)
- Re: significant incoming SSH volume Miller, Don C. (Mar 18)
- Re: significant incoming SSH volume Michael J. Wheeler (Mar 18)
- Re: significant incoming SSH volume Scott Beardsley (Mar 19)