Re: [PLUG] SSH Hardening : Request for Best Practices

Rich Freeman on 26 Jul 2017 15:44:46 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

From: Rich Freeman <r-plug@thefreemanclan.net>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] SSH Hardening : Request for Best Practices
Date: Wed, 26 Jul 2017 18:44:38 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=5+toiUmvvYboI9IyyAVikXWbdMm+75zxY9IkSHof1rg=; b=WiH2Hf/77PgWTU64pDldScUTvILBLWl/eG8TUkM5/LNqA4u/Iep95qcLTWhaqKgJ/y FVm3ihmg+YZElgLzRl+pwPKpy3DCa2sAq8anRxwjpDIBk/6S22eRvLkmqb3EKcLaLjcr ET5+4HnTjSgIcI0r3fwR83qdAV/qwe9B+nAytEmG7/5XThfe4z1z56M4DDPgolZRwgUd 0AnqACKm0Ra7ZDYsoqDcKRWnEpRKdz5/FP/PEK6kI25rp4m2ZkVHyBNKM50S0ddbNRST TGU/fnwPbpMFwrVSwSNkIDz9JLCDDWXiMFDY6B2nUsI9I+cEIX7vBdg1ZbNM8SkVQ0Pd NgtA==
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Wed, Jul 26, 2017 at 6:33 PM, Rich Kulawiec <rsk@gsp.org> wrote:
> On Wed, Jul 26, 2017 at 12:05:16PM -0400, K.S. Bhaskar wrote:
>> Since it is pretty straightforward to set up ssh with 2FA with Google
>> authenticator (
>> https://www.howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication)
>> or Authy (https://github.com/authy/authy-ssh), why would one not use the
>> additional security 2FA provides?
>
> Unless I'm mistaken, this requires a smartphone in order to run
> the relevant app.  (If I'm mistaken, I apologize.)  That's a
> dealbreaker for me: smartphones are just another component of the
> world's most widely distributed dumpster fire, aka the IoT.

It needs something that implements RFC 6238.  A smartphone app is the
most common implementation but any conforming TOTP generator will
work.

Sure, smartphones aren't ideal, but it is an additional layer of
defense.  Adding it doesn't increase your risk of compromise at all.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Louis K <louis.kratz@gmail.com>

References:
- [PLUG] SSH Hardening : Request for Best Practices
  - From: Louis K <louis.kratz@gmail.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Robert <mlists@zoominternet.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: "Keith C. Perry" <kperry@daotechnologies.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Joe Rosato <rosatoj@gmail.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: "K.S. Bhaskar" <bhaskar@bhaskars.com>
- Re: [PLUG] SSH Hardening : Request for Best Practices
  - From: Rich Kulawiec <rsk@gsp.org>

Prev by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Next by Date: Re: [PLUG] SSH Hardening : Request for Best Practices
Previous by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Next by thread: Re: [PLUG] SSH Hardening : Request for Best Practices
Index(es):
- Date
- Thread