Kent Borg <[email protected]> noted: > ... what a pain in the butt to be constantly > messing with port forwarding, and putting sshd on--what was that port > number again?
This comment reminded me of a cleanup that I should do myself. Any of you who are griping about sshd port forwarding probably need to consider taking these steps too. My current setup: sshd runs on about 3 external ports, NATed to various machines. I can access either by an (encrypted) private ssh key, or by 2-factor password auth (my personal pw plus Google Authenticator). It's 2016 and the whole concept of passwords for user auth is obsolete; they're hard to remember, don't get changed enough, and fairly easy to break. If you're relying solely on a memorized pass-phrase to access anything via a public IP address, you're not doing it right these days. Does this include you? So what I'm thinking I should do, to avoid the P.I.T.A. management headaches that Kent describes: * With a Python script, generate a public/private keypair for each of the long-running machines I want to protect * Have that script generate an authorized_keys file, encrypted identity file, and ssh config file * Tar up those files so they can be readily unpacked everywhere I need them * Craft an ansible playbook to run that script whenever I want to rotate the keys * Carry a copy of that tarball on a keychain USB flash drive so I can always get in * Disable passphrase/MFA auth everywhere except one or two backdoor devices (in case my rotation script has run before I could update that USB flash drive and whatever laptop/handheld devices use these keys) At some point an open-source project like ssh-ca will improve to the point where all the above is made easier. I kinda-sorta do the above already but without the script and ansible playbook, I don't bother rotating keys which is an essential part of this security. Overkill, perhaps, for home use--but even some of my security-expert friends' home systems have been hacked. Ever visited a carpenter's house? Usually you see half-complete remodeling jobs; it's natural for all of us to apply our professional skills at a paid workplace but skimp on stuff at home. Now, if only I could figure out a way to automatically and securely update my WordPress installation without it occasionally running into horrendous plugin version-compatibility traps... -rich _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
