[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting ssh access: by MAC Address?


On 5/1/23 12:56, Jeffrey Walton wrote:

On Wed, Jan 4, 2023 at 11:34 PM Gareth Evans <donotspam@fastmail.fm> wrote:

On 3 Jan 2023, at 22:07, Tom Browder <tom.browder@gmail.com> wrote:
I ... would like to access my home server from my laptop ...



On 5 Jan 2023, at 04:13, Jeffrey Walton <noloader@gmail.com> wrote:
...
Avoiding the key exchange is a big win
since those public key operations are so costly.

Costly in what sense and circumstances?

Public key operations for key exchange dominate the cpu cost of a
session. Key exchange is the limiting factor in how many connections a
server can handle. It has always been this way, even for SSL/TLS and
IPSec.
For your typical home user with no expectation of high numbers of connections, the issue is more to limit the crap that turns up in the logs from failed login attempts.
Requiring a valid client certificate to be presented before, or instead of, a username/password works perfectly for this.
I have some recollection that the validation of a client certificate is not a high cost exercise? 

--
Jeremy
Reply to: