passwordless ssh from laptop

Joel Rees joel.rees at gmail.com
Thu Dec 29 00:57:14 UTC 2016 

On Wed, Dec 28, 2016 at 9:00 PM, Chris Green <cl at isbd.net> wrote:
> On Tue, Dec 27, 2016 at 09:15:37AM +1100, Karl Auer wrote:
>> On Mon, 2016-12-26 at 22:05 +0000, Colin Watson wrote:
>> > On Tue, Dec 27, 2016 at 08:50:02AM +1100, Karl Auer wrote:
>> > > suggests that it is not in the man page for my Ubuntu install
>> > You're probably looking in the wrong manual page.
>>
>> Gaah! Of COURSE I was :-)
>>
>> I'm less interested in using MFA for my local logins, but very
>> interested for remote logins. I see little point in super-strong local
>> protections, because if they have the hardware they have what's on it.
>> But I do want to strongly protect against remote compromise.
>>
> My strategy for making remote logins as secure as possible (without
> being unusable) is as follows:-
>
>     My home desktop machine is behind a firewall which only allows ssh
>     connections from two specific IP addresses.
>
>     The two specific IP addresses allowed are on two different hosting
>     services that I use which allow ssh access.
>
> Thus, to login from the outside world I have first to make an ssh
> connection to one of my two hosting accounts and then another ssh
> connection from there to my home machine.

So, the attacker has to know which hosting services you are using.
Then do an IP spoof on your local network from a compromised box on
you local network.

Just to be safe, the attacker will probably poison the directory
caches of one or two of the routers between you and your services a
little bit ahead of time. (Then cover his/her tracks with a second
poisoning when finished.)

heh. Don't get too paranoid, you probably don't have anything valuable
enough to become bait for that kind of attack. The attacker's time is
money, too.

Unless you are making yourself the target of an attacker with deep
pockets, like governments and drug cartels.

Yeah, the IP restrictions are good. We just have to remember they
aren't perfect.

-- 
Joel Rees

I'm imagining I'm a novelist:
http://reiisi.blogspot.jp/p/novels-i-am-writing.html

More information about the ubuntu-users mailing list