Lee H. Marzke on 26 Jul 2017 11:56:42 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] SSH Hardening : Request for Best Practices

I'm finding more and more uses for the Yubikey which may be of interested to this group.  It is a small USB
device (  with touch button, or the 'nano' version resides totally inside the usb slot, with a metal touch sensitive side )

The interface is USB keyboard protocol - so no OS drivers are required , works on any OS.

The advantage is convenience of use -  just touch it with your finger for a fraction of a second to authenticate, and the
small nano unit that disappears  inside the usb slot is always with your laptop.

All Yubikey management software is all open-source and cross platform.   The Yubikeys themselves have several writable 'slots'
for keys, but the internal  'program' is not writable or upgradeable,  so they are impervious to many attacks.   They also support OATH,
TOTP,  CICD,  static keys,  and Yubikey protocol.

I don't yet use Yubikey's  for GPG/SSH keys  but review the following link.  Each Yubikey can store multiple keys in different 'slots'.
and do multiple protocols such as SSH and TOTP. 

More info is available at:
https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/

A simpler implementation might be to just use a really long SSH passphrase and put that in a static slot on the
Yubikey or combine with a user entered PIN,  both of which require no programming.  For the 2nd
you type a few characters then touch the Yubikey which adds more characters for the complete passphrase.

Lee


From: "Louis K" <louis.kratz@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Wednesday, July 26, 2017 9:07:56 AM
Subject: [PLUG] SSH Hardening : Request for Best Practices
I'm in the process of hardening an ssh server on my home network I plan on exposing so I can access it remotely. I've configured a number of typical hardening approaches (non standard port, disable root login, require keys, limit to single user). 
I'd love to hear people's general recommendations for best practices, and have two specific questions:
*  I'm considering adding two factor auth in addition to the ssh keys. Is this overkill? I think in that case the 2-factor-auth really only protects me against someone getting my key (i.e., stealing my laptop and sshing in), which I _think_ is unlikely. 
* I'm going to configure sshgaurd, but but haven't decided on which firewall to use yet. I'm not super passionate about firewalls so simplicity is key. What are your opinions on pf vs ipfw vs iptables?

Thanks in advance!

Lou

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

--
"Between subtle shading and the absence of light lies the nuance of iqlusion..."  - Kryptos

Lee Marzke,  lee@marzke.net     http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
+1 800-393-5217  office        +1 484-348-2230                       fax
+1 252 627-9531  sms  ( 252 MARZKE1 )
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug