SSH hacked?

[Gilles Gravier]

Hi!

Steve Lamb wrote:
> Gilles Gravier wrote:
>   
>> No reason to not let SSH port 22 open if the security behind it is good.
>> By using knockd, you are adding an additional layer which isn't strictly
>> necessary.
>>     
>
>     At a friend's house, no key, how to log in?  And again, there is a good
>   
Carry your key in a USB stick.

Or even better. Make your favorite SSH client available from a web page.
Use appGATE's MindTerm (http://www.appgate.com/mindterm/ - Java SSH
client which can be served as an application or an applet - it's free
for personal and even small business use, and source is available).

I serve mine from my own web site, that way I can always access it from
any place on the planet... and I have a USB stick with a digital
certificate. All I need to do is tell MindTerm to use the key from the
USB storage... Most machines these days have USB ports...
> reason to not leave it open.  It is the same reason for every service.  If it
> isn't needed to be wide open DO NOT LEAVE IT WIDE OPEN, PERIOD!  No, I'm not
> sorry about the caps.  It cannot be stated enough when such poor thinking in
> terms of security is being spread as reasonable.  It boils down to this,
> closing it off unless the world needs to touch it inoculates your system from
> *all* past, present and *future* exploits, known or *unknown*.  Opening it up
> makes it vulnerable to all present and *future* known and *unknown* problems.
>   
Telling users to use a secret sequence of port opens is just equivalent
to giving them a second password... and just as (in)safe. If I'm behind
such a user and I see them open sequential connects to a machine before
SSHing... it's an easy guess. Then I watch again over their shoulder for
the password and voila. Thanks for the easy way in.
>     Key words are future and unknown.  If you think SSH is secure remember
> that for almost 2 *years* it wasn't.
>
> -----
> DSA-1571-1 openssl -- predictable random number generator
>
> Date Reported:
>     13 May 2008
>
> [snip to relevant portion of the vulnerability]
>
>     The first vulnerable version, 0.9.8c-1, was uploaded to the unstable
> distribution on 2006-09-17...
> ----
You imagine that knockd is secure? What proof do you have that some
obscure vulnerability won't be found that enables a buffer overflow
opening ANY arbitrary port on the machine (I'm not saying that this is
the case today...). Adding ANY additional layer is accepting the chance
that that additional layer may have its own bugs.

There is no 100% security.

Good, complex passwords are a very very good solution, in particular if
you change them often... but that only prevents somebody eavesdropping
over your shoulder. A good password shouldn't be vulnerable to a
dictionnary attack, and, as such, not really brute-forceable anyways.
More so now that Ubuntu enables MD5 passwords, it means you can use
arbitrary length strings and have actual sentenses. It would be very
hard for somebody to read my actual password... it's a full sentense,
with capitalization, punctuations, and multiple words. It's easy for me
to remember, but extremely hard to pick up when I type it (in particular
as I type with all my fingers).

Gilles