<html><head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head><body bgcolor="#FFFFFF" text="#000000">Yep - disallowing
keyboard-interactive and accepting only certificates. I turn off
PermitRootLogin and only allow certificates. Barring some kind of
exploit in sshd, that ought to be secure enough.<br>
<br>
<span>Steven Donegan wrote:</span><br>
<blockquote
cite="mid:1561423323.959800.1444082243466.JavaMail.yahoo@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue,
Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px">Using
certificates for ssh is yet another method :-) <br><div
id="yui_3_16_0_1_1443990021550_67368"><span></span></div><div
id="yui_3_16_0_1_1443990021550_67369"> </div><div
id="yui_3_16_0_1_1443990021550_67423" class="signature">Steven Donegan<br>KK6IVC
General Class FCC License<br>Silver State Car #86<br><a class="moz-txt-link-abbreviated" href="http://www.sscc.us">www.sscc.us</a></div><br>
<div id="yui_3_16_0_1_1443990021550_67426" style="font-family:
HelveticaNeue-Light, Helvetica Neue Light, Helvetica Neue, Helvetica,
Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div
id="yui_3_16_0_1_1443990021550_67425" style="font-family: HelveticaNeue,
Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size:
16px;"> <div id="yui_3_16_0_1_1443990021550_67424" dir="ltr"> <hr
size="1"> <font face="Arial" size="2"> <b><span
style="font-weight:bold;">From:</span></b> Bryan D. Boyle
<a class="moz-txt-link-rfc2396E" href="mailto:bdboyle@bdboyle.com"><bdboyle@bdboyle.com></a><br> <b><span style="font-weight: bold;">To:</span></b>
Steven Donegan <a class="moz-txt-link-rfc2396E" href="mailto:donegan@donegan.org"><donegan@donegan.org></a> <br><b><span
style="font-weight: bold;">Cc:</span></b> Steve Zingman
<a class="moz-txt-link-rfc2396E" href="mailto:szingman@msgstor.com"><szingman@msgstor.com></a>; <a class="moz-txt-link-rfc2396E" href="mailto:app_rpt-users@ohnosec.org">"app_rpt-users@ohnosec.org"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:app_rpt-users@ohnosec.org"><app_rpt-users@ohnosec.org></a> <br> <b><span style="font-weight:
bold;">Sent:</span></b> Monday, October 5, 2015 2:49 PM<br> <b><span
style="font-weight: bold;">Subject:</span></b> Re: [App_rpt-users] New
Official Allstar Distribution Released (DIAL)<br> </font> </div> <div
id="yui_3_16_0_1_1443990021550_67427" class="y_msg_container"><br><div
id="yiv8734587087"><div id="yui_3_16_0_1_1443990021550_67429"><div
id="yui_3_16_0_1_1443990021550_67428">Using a jump box as you describe
is one way...not allowing SSH from the outside adds a layer; setting up a
secue VDI capability to the jumpbox over a vpn is yet a third
way...;). </div><div id="yiv8734587087AppleMailSignature"><br
clear="none"></div><div id="yiv8734587087AppleMailSignature">my rule: if
it's exposed to the net, it's potentially vulnerable. Just turn on
your SIP port and pop some popcorn to see...;)<br clear="none"><br
clear="none">--<div>Bryan</div><div>Sent from my iPhone 5.<span
style="font-size:13pt;">..No electrons were harmed in the sending of
this message.</span></div><div><br clear="none"><div><br clear="none"></div></div></div><div
class="qtdSeparateBR"><br><br></div><div
class="yiv8734587087yqt0199404845" id="yiv8734587087yqt51679"><div><br
clear="none">On Oct 5, 2015, at 17:39, Steven Donegan <<a
moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:donegan@donegan.org" target="_blank"
href="mailto:donegan@donegan.org">donegan@donegan.org</a>> wrote:<br
clear="none"><br clear="none"></div><blockquote type="cite"><div><div
style="color:#000;background-color:#fff;font-family:HelveticaNeue-Light,
Helvetica Neue Light, Helvetica Neue, Helvetica, Arial, Lucida Grande,
sans-serif;font-size:16px;"><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65382">Direct root login
being disallowed IF there were no other way to get full root privileges
(not the case here) was considered best practice. However in almost
every case there is a user (on Raspbian user pi) that can simply login,
sudo -s and do whatever they want. Yes it puts up a small hurdle but I
don't see it as a serious one.</div><div><br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65659">In short, there is
almost no setup that will allow you to completely lock out root with the
exception of a few well designed appliances. And that means someone is
out there doing support to get things resolved. This system is not of
that flavor and root is necessary for many things so frankly adding a
hurdle or two really doesn't appreciably make the system more secure.</div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65660"><br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65661">Require a long pass
phrase (say 20 mixed characters or so) and this whole thing is moot...</div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65662"><br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65663">And BTW - putting
sshd on port 222 (or anything except 22) is security by obscurity - many
tools can find standard protocols on non-standard ports :-) (I know, I
wrote one)<br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65683"><br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65684">The best bet is to
not allow ssh at all. If that is not feasible then do the su or sudo
thing and/or set up an intermediate system such that you access a
non-privileged account on system A, then ssh to system B and system B
will ONLY accept ssh from system A. Still can be beaten but it is a bit
harder...</div><div id="yiv8734587087yui_3_16_0_1_1443990021550_65685"><br
clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65686">And BTW - I have done
infosec for about 20 years so I am allowed to have an opinion on this
topic :-)<br clear="none"></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65327"><span></span></div><div
id="yiv8734587087yui_3_16_0_1_1443990021550_65326"> </div><div
class="yiv8734587087signature"
id="yiv8734587087yui_3_16_0_1_1443990021550_65291">Steven Donegan<br
clear="none">KK6IVC General Class FCC License<br clear="none">Silver
State Car #86<br clear="none"><a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank" href="http://www.sscc.us/">www.sscc.us</a></div><br
clear="none"> <div id="yiv8734587087yui_3_16_0_1_1443990021550_65306"
style="font-family:HelveticaNeue-Light, Helvetica Neue Light, Helvetica
Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;"> <div
id="yiv8734587087yui_3_16_0_1_1443990021550_65305"
style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px;"> <div dir="ltr"
id="yiv8734587087yui_3_16_0_1_1443990021550_65304"> <hr size="1"> <font
face="Arial" size="2"> <b><span style="font-weight:bold;">From:</span></b>
Steve Zingman <<a moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:szingman@msgstor.com" target="_blank"
href="mailto:szingman@msgstor.com">szingman@msgstor.com</a>><br
clear="none"> <b><span style="font-weight:bold;">To:</span></b> "<a
moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank"
href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>"
<<a moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:app_rpt-users@ohnosec.org" target="_blank"
href="mailto:app_rpt-users@ohnosec.org">app_rpt-users@ohnosec.org</a>>
<br clear="none"> <b><span style="font-weight:bold;">Sent:</span></b>
Monday, October 5, 2015 2:24 PM<br clear="none"> <b><span
style="font-weight:bold;">Subject:</span></b> [App_rpt-users] New
Official Allstar Distribution Released (DIAL)<br clear="none"> </font> </div>
<div class="yiv8734587087y_msg_container"><br clear="none"><div
id="yiv8734587087"><div>
</div><div><pre style="white-space:pre-wrap;color:rgb(0, 0, 0);font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;widows:1;word-spacing:0px;">Dave,
Let's say I agree with you. And I well may.
On most internet exposed machines, I don't even allow ssh unless I trust your address or require a VPN.
I agree is common practice to not allow it.
Now the question is why?
As John McLaughlin would say, DISCUSS!
On 10/05/2015 08:40 AM, Steve Zingman wrote:
><i> root login via SSH is now allowed
</i>
> This is a bad idea. Root should *never* be allowed to login to a system
> remotely. It's better to log in as a normal user and then become root
> via su, sudo, etc.
> - Dave
</pre>
<br clear="none">
<pre class="yiv8734587087moz-signature">--
"Anything is possible if you don't know what you are talking about."
1st Law of Logic</pre><div class="yiv8734587087qtdSeparateBR"><br
clear="none"><br clear="none"></div><div
class="yiv8734587087yqt8052708876" id="yiv8734587087yqtfd88066">
</div></div></div><br clear="none"><div
class="yiv8734587087yqt8052708876" id="yiv8734587087yqtfd80175">_______________________________________________<br
clear="none">App_rpt-users mailing list<br clear="none"><a
moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a><br
clear="none"><a moz-do-not-send="true" rel="nofollow" shape="rect"
target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a><br
clear="none"><br clear="none">To unsubscribe from this list please
visit <a moz-do-not-send="true" rel="nofollow" shape="rect"
target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users
</a>and scroll down to the bottom of the page. Enter your email address
and press the "Unsubscribe or edit options button"<br clear="none">You
do not need a password to unsubscribe, you can do it via email
confirmation. If you have trouble unsubscribing, please send a message
to the list detailing the problem. </div><br clear="none"><br
clear="none"></div> </div> </div> </div></div></blockquote></div><blockquote
type="cite"><div><span>_______________________________________________</span><br
clear="none"><span>App_rpt-users mailing list</span><br clear="none"><span><a
moz-do-not-send="true" rel="nofollow" shape="rect"
ymailto="mailto:App_rpt-users@ohnosec.org" target="_blank"
href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a></span><br
clear="none"><span><a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a></span><br
clear="none"><span></span><br clear="none"><span>To unsubscribe from
this list please visit <a moz-do-not-send="true" rel="nofollow"
shape="rect" target="_blank"
href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
and scroll down to the bottom of the page. Enter your email address and
press the "Unsubscribe or edit options button"</span><br clear="none"><span>You
do not need a password to unsubscribe, you can do it via email
confirmation. If you have trouble unsubscribing, please send a message
to the list detailing the problem. </span></div></blockquote></div></div><br><br></div>
</div> </div> </div>
<pre wrap="">_______________________________________________
App_rpt-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:App_rpt-users@ohnosec.org">App_rpt-users@ohnosec.org</a>
<a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a>
To unsubscribe from this list please visit <a class="moz-txt-link-freetext" href="http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users">http://ohnosec.org/cgi-bin/mailman/listinfo/app_rpt-users</a> and scroll down to the bottom of the page. Enter your email address and press the "Unsubscribe or edit options button"
You do not need a password to unsubscribe, you can do it via email confirmation. If you have trouble unsubscribing, please send a message to the list detailing the problem. </pre>
</blockquote>
<br>
</body></html>