grey at dmiyu.org
Sun Jan 18 20:51:16 UTC 2009
Gilles Gravier wrote:
> Carry your key in a USB stick.
Uhm, what USB stick?
> Or even better. Make your favorite SSH client available from a web page.
> Use appGATE's MindTerm (http://www.appgate.com/mindterm/ - Java SSH
> client which can be served as an application or an applet - it's free
> for personal and even small business use, and source is available).
Ah, yes, and give people a place to get an SSH client right from your
machine, adding a layer of redirection to the logs. Smart!
> Telling users to use a secret sequence of port opens is just equivalent
> to giving them a second password... and just as (in)safe. If I'm behind
> such a user and I see them open sequential connects to a machine before
> SSHing... it's an easy guess.
You'd see something handled by the client? Interesting.
> You imagine that knockd is secure? What proof do you have that some
> obscure vulnerability won't be found that enables a buffer overflow
> opening ANY arbitrary port on the machine (I'm not saying that this is
> the case today...).
I imagine it is, yes. Tell me, how, exactly, would you construct a buffer
overflow which attacks through the logs of the machine? Pardon me if I don't
wait for you to answer that.
> There is no 100% security.
Sure there is. Yank the cable. :P
> Good, complex passwords are a very very good solution, in particular if
> you change them often... but that only prevents somebody eavesdropping
> over your shoulder. A good password shouldn't be vulnerable to a
> dictionnary attack, and, as such, not really brute-forceable anyways.
And yet none of this still comes close to just not having the port open.
I'm done arguing with your ignorance on this matter. Quite simply you are
arguing against decades of solid system security. Don't open the port unless
needed, just that simple. Go ahead and reply again if you want to continue
proving how foolish you are.
More information about the ubuntu-users