Hot Diggety! Richard Chycoski was rumored to have written:
>
> You need sshd on a standard port for your *users* to be able to use it.
> Hiding ssh on a strange port doesn't really add much protection.
Yep. That as the sole measure, no way!
But when coupled with other steps such as:
- Two-factor authentication (as you mentioned)
- Regular patching and restarts of sshd, particularly when vulns
for sshd / OpenSSL libs are reported
- Use of pre-setup ssh key + passphrases only (rather than use
of guessable passwords) to login if two-factor auth is not possible
- Making users change their password (whether via pam_passwdqc +
passwd or via a web page somewhere or via built-in capabilities)
> SecureID (or similar) access is good because it requires your users to
> use 'something they have' (the token generator). Tokens with PINs are
> better because they require both 'something they have' (the token) plus
> 'something they know' (the PIN). This is a two-factor password, and
> considered secure enough for most any commercial enterprise. *Do* keep
> your ssh daemon up to date, and do disallow root logins, both as
> recommended by Ned.
Most definitely. I've worked for employers who used this to good effect
for external-facing bastions. Have had zero compromises due to (say,
sniffed while employee's using laptop in a public place with an
unencrypted AP) stolen password or passphrase.
> Using ssh as a gateway is certainly secure enough for most enterprises,
> although VPNs are more convenient for a lot of users (read: non-techie
> managers and salespeople, almost always on Windows. :-)
Bit of a mixed bag with regard to the platform. :) At least Cisco's VPN
client works well on Linux and MacOS X. VPN authentication can also be
coupled with two-factor authentication as well.
-Dan
_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
