Re: Opening ports in my firewall

From: Harry Putnam (reader_at_newsguy.com)
Date: 08/03/04

  • Next message: BrianD: "exposed passwords in Fedora 2 !!!!!" 
    Date: Tue, 03 Aug 2004 08:05:48 -0500

    "Walter Dnes (delete the 'z' to get my real address)" <wzaltdnes@waltdnes.org> writes:

    > 2) This may be a bit more painfull, but consider accepting connections
    > only with DSA keys, and not allowing manual password logins.
    > Brute-forcing a DSA key is a helluva lot more difficult than a password.

    Walter, sorry to *** in here but,I've wondered about password method
    for a while and your post started to get to the crux of it.

    Can you spell the above method out a little. I guess you mean the
    method where you exchange id_dsa.pub keys and keep them an
    authorized_keys file right? But how is this limiting done?

    But that would assume you always know in advance what machine you will
    be sshing in from (or at least a group of possible machines). So that
    would be pretty much the same as using /etc/hosts.allow it seems.

    In a situation where one may ssh in from machines unknowable in
    advance, is there really any other technique than password?

    Maybe this is where folks use the vpn stuff or does one have to know
    the incoming machine in advance for that too?

    If one uses a good password wouldn't a dictionary attack take a very
    long time? And with ssh only allowing 3 login attempts at a time, you
    could be talking wks of effort. Or is there some other way with ssh
    password auth that is a quicker crack.

    Also, is it possible to limit incoming ssh to a particualr username?
    And that user ends up in a chroot jail or something. Needing yet
    another password (root's) to do damage.

  • Next message: BrianD: "exposed passwords in Fedora 2 !!!!!"