[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How can I secure a Debian installation?

On 1/30/2014 11:29 PM, Raffaele Morelli wrote:




2014-01-30 Brian <ad44@cityscape.co.uk <mailto:ad44@cityscape.co.uk>>:

    On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote:

     > On Tue, 28 Jan 2014 18:42:34 +0000
     > Brian <ad44@cityscape.co.uk <mailto:ad44@cityscape.co.uk>> wrote:
     >
     > > The AllowUsers directive is a legitimate way to restrict ssh
    logins to
     > > certain users. However, I do not see what (ssh keys + AllowUsers)
     > > brings to the party that (password + AllowUsers) doesn't.
     >
     > A key (if kept secret) is even harder to "guess" than a
     > password,

    I'd like to see a complex, random, high-entropy 20 character password
    which is guessable (or capable of being cracked) in a timeframe which
    has some significance. I'll give you "even harder" but it is of no great
    consequence if you consider the situation where an online subversion of
    a user's account is being attempted and a good password is in place.


I'd like to see someone who use such 20 character password for everyday
tasks.
I have to agree with you here, Raffaele. While it's nice to talk about users and 20 character random keys, the fact of the matter is, they aren't used by the vast majority of users. In many cases, even those who *should* know better don't do it.
Sure, you could require a 20 character random key on your site - but you won't get many people to sign up. Rather than try to remember such a password, most people will just move on. 

<snip>



Passwords are guessable and brute force are here to stay. But can you
show me how to simulate the presence of a key on a client side?
Yes, brute-force attacks are how most externally-generated breaches occur. I see multiple attacks daily in my server logs. 

Jerry
Reply to: