Hacker News new | past | comments | ask | show | jobs | submit login

I knew someone would raise an issue there.

If you're that concerned about security, there are a handful of additional things you can do:

* Use a non-standard ssh port

* Disable root ssh login

* Configure 'Single Packet Authorization and Port Knocking' -- http://www.cipherdyne.org/fwknop/

* Have decent iptables rules. Use either fail2ban or denyhosts with stringent rules, if you must, that ban on 3+ failed logins.

* Have a whitelist of acceptable IP's for ssh access

* Use any system of 2-factor authentication. I'm partial to Google's Authenticator. Here're some directions to get that set up, if anyone is interested: http://guides.webbynode.com/articles/security/ubuntu-google-...

But seriously, if you have keys set up and someone manages to steal them... you've really got bigger things you should be focusing on.




  * Use a non-standard ssh port
If someone has your private ssh key, then they presumably have access to your client-side ssh configuration. This might prevent random Internet attacks, but this doesn't do much against a targeted attack (which is what someone will do once they jack your private key).

  * Disable root ssh login
If your private key isn't authorized for root anyways, this doesn't really matter. This is just a point of general ssh security, not a protection against stolen private keys.

  * Configure 'Single Packet Authorization and Port Knocking' --
    http://www.cipherdyne.org/fwknop/
As with point 1, if someone is able to jack your private ssh key, they probably have enough access to view your ssh config.

  * Have decent iptables rules. Use either fail2ban or denyhosts
    with stringent rules, if you must, that ban on 3+ failed
    logins.
If someone steals your private key, then they won't have any failed login attempts. I'm unsure how you feel this makes using a password-less private key anymore secure.

  * Have a whitelist of acceptable IP's for ssh access
This presumably defeats the purpose of ssh mobility.

  * Use any system of 2-factor authentication. I'm partial to
    Google's Authenticator. Here're some directions to get that
    set up, if anyone is interested:   
Using a password (something you know) + private key (something you have) already is two-factor authentication.


No. Just No.

* Use a non-standard ssh port <= not security. plus i bet you're on 2222.

* Fail2ban: useless for key auth, you don't remote brute keys like that

* 2 factor: that is ok

If your comp can log directly without any authentication that is terrible practice. Your comp will eventually get compromised, stolen, etc and then its game over. The passphrase is no silver bullet but it helps a lot.

2 factor or tiny cryptokeys are best.


No. Just No.

With a reaction to that I expected overwhelming technical objections to everything the parent said. Based on the actual contents of your objections, I think you would have been better starting it Yes! Additionally...


All the great-grandparent's points are true, but irrelevant. There are plenty of ways to improve SSH security. None of them make having passwordless keys anything other than utterly brain-damagedly stupid.


http://news.ycombinator.com/item?id=2236081

Think of it as security through irregularity instead of security through obscurity. You are not making your box secure by changing the ssh port, but you are decreasing the number of automated attempts that will hit your ssh port, which could, in theory, reduce your security risk.


but the original objection was regarding using passwordless keys. again, the main concern here isn't about automated attacks, it's about targeted attacks. someone got your key, it doesn't matter that you're running on a non-standard port. they'll figure that out, if they're targeting your machine specifically.


I definitely agree with much of what you've pointed out.

> * Use a non-standard ssh port <= not security. plus i bet you're on 2222.

Right, marginally better than using port 22, but it's still something (better than non-action, if you will). I do hope one takes the vigilance to set a port number sufficiently high up, and sufficiently random looking. I recall something about nmap, that it scans only up to 1023 by default or something.

> * Fail2ban: useless for key auth, you don't remote brute keys like that

Still set it up -- for http and other services.

> If your comp can log directly without any authentication that is terrible practice. Your comp will eventually get compromised, stolen, etc and then its game over. The passphrase is no silver bullet but it helps a lot.

I agree... I emphasized seamless logging in because that seems to be a big point that Mosh is apparently selling itself on. I do have stronger authentication methods set up for the production machine. :)


> I do hope one takes the vigilance to set a port number sufficiently high up, and sufficiently random looking

Hopefully not over port 1023. If a user gets on the system and crashes your ssh daemon through OOM killer or one of many other methods, that non-root user can then restart its own daemon and listen to that port that you put >1023 'for security reasons'.

Accidentally answering yes when it says a new key was detected is all it takes to get keylogged.


I don't see how you could answer yes to that prompt without realizing it was the 'key has changed' prompt. Especially when half the ssh clients I've seen abort entirely when the key changes.


The issue of using ports above 1024 is that unless you redirect it to <1024 through the kernel firewall, if the ssh daemon crashes, a local user can run a daemon and compromise your keys/passwords. If you trust all your users, it should be fine though, but still...


That's why the server has a private key, too, to identify itself to the user.


You can't rely on that if you have other users connecting though. Too many people ignore even the starkest of warning messages. While that problem will not go away, keeping SSH on a port below 1024 is slightly safer and has no disadvantage other than it isn't as catchy as 2222 (and if you are using 2222, be aware that automated attacks often check that as well as 22 because of how common an alternative it is, so you might as well just use 22 and be done with it).


Best not rely on any security once attackers have access to your physical system. Someone could even take your computer, install a keylogger, and get it back to you.

If you have a Mac and secure your SSH keys with Keychain someone could take it, crack it open, freeze your memory, and dump it.

Two factor is definitely the best you could do on this front but who sets up two factor with SSH?


it's simple with yubikeys


Tiny cryptokeys?



Instead of fake security solutions, how about using something like keychain (http://www.gentoo.org/doc/en/keychain-guide.xml)? Simply kill ssh-agent as part of the sleep event and you can have security and convenience. Trivial to implement and actually accomplishes something--unlike changing server settings in a scenario where I probably have access to your computer, which already knows how to login to your server!


You realize you've effectively done the same thing as saving the password on the machine to auto-log-in with a password, right? The exception being it's harder to brute force the server (but you did mention server filtering, so forget that). They have ssh-agent for a reason.

p.s. using a password with keys is two factor




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: