"Password validation services" -- how can we avoid creating more of them?

• Previous message: "Password validation services" -- how can we avoid creating more of them?
• Next message: "Password validation services" -- how can we avoid creating more of them?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason Dusek wrote:
> On 12/28/06, David Wolfskill <david at catwhisker.org> wrote:
>> [sysadmins should] disallow password authentication in favor of 
>> public key authentication (or some form(s) of Kerberos
>> authentication...
> 
> Public key authentication has its own problems, doesn't it? If you 
> want to distribute keys infrequently than you have the revocation
> list problem. If you distribute keys frequently, then you've got to
> secure that process and you're basically back to square one.
> Kerberos' combination of keys and passwords does seem like a good
> compromise, though.
> 
>> ...we still deploy services such as HTTPS or IMAPS that "need" to
>> be open to access from untrusted networks & machines, and which
>> (often?) only provide "password" as an authentication mechanism.
>> 
>> Were it up to me, I'd just set up SSH servers to only use public
>> key authentication, and have folks access everything via SSH
>> tunnels.
> 
> Well, it's reasonable to use keys when they are available -- keys 
> should be preferred, and hopefully the majority of your users will 
> have them; but password authentication helps to cover those 
> authentication corner cases that crop up every so often (a staff 
> member is on a trip, their laptop dies, they find an internet kiosk
> at the public library...)
> 

OK, here's one tip. While I don't believe in "Security by Obscurity" as
the only method to secure a network, why make it easier for crackers
when you don't have to? Like using "The Club" on your car, putting SSH
(and other sensitive administrative services) on alternate public ports
at least keeps opportunistic, quick and dumb network-block-wide scans
from picking you up on their radar. Real-world example: People who use
"The Club" on their car make it *more difficult* (but not impossible) to
boost their cars, so thieves will move on and look for easier prey. I
did this on some of the networks I'm responsible for and those pesky
bot-based and wide-net SSH login attempts from China and elsewhere
(trying to log in as "root", "admin", "manager", etc.) have stopped COLD.

Yes, you should also use every other means to secure your network within
the bounds of what your users (and you) can take without taking up arms
against you, but just making life a little more difficult for the "Bad
People" can help as well. In this case, if you then DO see break-in
attempts on these wacky ports, you can and should pay MUCH more
attention to them, since the noise level will have dropped.

Happy New Year,

Jesse Adelman
Linux SysAdmin
http://www.ilikelinux.com/

• Previous message: "Password validation services" -- how can we avoid creating more of them?
• Next message: "Password validation services" -- how can we avoid creating more of them?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]