Re: How can I secure a Debian installation?
On Tue, Jan 28, 2014 at 08:37:57PM +0000, Brian wrote:
> On Tue 28 Jan 2014 at 11:40:04 -0800, Jon Danniken wrote:
>
> > Thanks Brian, I ended up removing openssh-server, as it was not
> > something I needed; it was automatically installed and set up to run as
> > a "feature" of the live CD I used to install Debian with (installed as
> > part of the "live-tools" package). Fortunately I came across the posting
> > that alerted me to this, and have removed it from both of my machines.
>
> Removing software which runs as a daemon is good practice. Why have a
> process listening for external connections when it is unnecessary?
>
> > If I end up using openssh in the future I will definitely use a private
> > key, though.
>
> Another battle lost. :)
>
> But ssh keys are great for some situations. The problem is their
> advocates never describe what the situations are and it is too often a
> case of being instructed to "use a ssh key". The downsides to a ssh
> key are left unsaid and the impression is given that a password login is
> naff and insecure. The pros and cons of an ssh key login are rarely
> disussed by these advocates,
>
> I'll just end by reminding you that your ssh key might be stored on a
> USB stick. Forget the stick and you don't get to access your account.
> Passwords are in your memory and, fallible though it might be, it is
> usually accessible. In the last resort the password could come to you
> in a dream. :)
Moreover, all intrusions in open source projects (through ssh) like
kernel's git in 2011 or Fedora's repos occurred as a consequence of
stealing private keys instead of password guessing.
Also, "SSH: passwords or keys?" - http://lwn.net/Articles/369703/
Reply to: