Rich Freeman on 26 Jul 2017 07:33:35 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

On Wed, Jul 26, 2017 at 10:21 AM, Robert <> wrote:
> On 07/26/2017 09:07 AM, Louis K wrote:
>> I'm in the process of hardening an ssh server on my home network I
>> plan on exposing so I can access it remotely. I've configured a number
>> of typical hardening approaches (non standard port, disable root
>> login, require keys, limit to single user).
>> I'd love to hear people's general recommendations for best practices,
>> and have two specific questions:
>> *  I'm considering adding two factor auth in addition to the ssh keys.
>> Is this overkill? I think in that case the 2-factor-auth really only
>> protects me against someone getting my key (i.e., stealing my laptop
>> and sshing in), which I _think_ is unlikely.
> Add a passphrase to your keys then you don't have to worry about someone
> getting a hold of it and using it.

This only protects the key at rest.  If a process can spy on keyboard
input or your ssh client memory or your ssh agent memory then it would
be able to obtain your passphrase as well as your key.

It would protect against laptop theft (if it was powered off).

Again, it is up to you to decide how important this thread model is.
2FA still does provide protections over an ssh passphrase.  There is
always a compromise between usability/complexity and security.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --