Michael Klinosky <mpk2@xxxxxxxxx> writes:
> I'd like to know what threats exits for ssh - are there webpages that
> discuss this? I *thought* that using an arbitrary port and putting
> 'AllowUsers ...' into sshd_config would handle these things (along
> with a password other than 'abcd' :) ).
The problem with passwords is that you have to trust all your users to
pick good ones that aren't in any attacker's dictionary. The only
somewhat safe passwords are the ones that are computer generated
random numbers/letters/symbols. All the others that are easy to
remember for users are potential candidates for someone to put into a
dictionary of passwords to try. You are in effect betting that your
passwords all aren't in any attacker's dictionary yet.
If you are going to go to computer generated numbers/letters/symbols
for somewhat strong passwords, you might as will go all the way and
let your computer generate a 1 kbit long password for you called RSA.
The attackers aren't going to be able to guess that in reasonable time
and the computer has all the machinery in place to remember that 1k
password for you automatically, so you never ever have to ever
memorize it.
I already posted this in a different sub-thread, but I'll repeat it
here. This is how to setup sshd for RSA/DSA only and avoid any
password guessing attacks:
http://www.wsrcc.com/wolfgang/sshd-config.html
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
Hints for IPv6 on FC6 http://www.wsrcc.com/wolfgang/fedora/ipv6-tunnel.html
