passwordless ssh from laptop

Chris Green cl at isbd.net
Thu Dec 29 09:38:36 UTC 2016 

On Thu, Dec 29, 2016 at 09:57:14AM +0900, Joel Rees wrote:
> On Wed, Dec 28, 2016 at 9:00 PM, Chris Green <cl at isbd.net> wrote:
> > On Tue, Dec 27, 2016 at 09:15:37AM +1100, Karl Auer wrote:
> >> On Mon, 2016-12-26 at 22:05 +0000, Colin Watson wrote:
> >> > On Tue, Dec 27, 2016 at 08:50:02AM +1100, Karl Auer wrote:
> >> > > suggests that it is not in the man page for my Ubuntu install
> >> > You're probably looking in the wrong manual page.
> >>
> >> Gaah! Of COURSE I was :-)
> >>
> >> I'm less interested in using MFA for my local logins, but very
> >> interested for remote logins. I see little point in super-strong local
> >> protections, because if they have the hardware they have what's on it.
> >> But I do want to strongly protect against remote compromise.
> >>
> > My strategy for making remote logins as secure as possible (without
> > being unusable) is as follows:-
> >
> >     My home desktop machine is behind a firewall which only allows ssh
> >     connections from two specific IP addresses.
> >
> >     The two specific IP addresses allowed are on two different hosting
> >     services that I use which allow ssh access.
> >
> > Thus, to login from the outside world I have first to make an ssh
> > connection to one of my two hosting accounts and then another ssh
> > connection from there to my home machine.
> 
> So, the attacker has to know which hosting services you are using.
> Then do an IP spoof on your local network from a compromised box on
> you local network.
> 
Unlikely, local network is small, would have to break into a pretty
remote property.

Of course they could also acquire an account on the same hosting
service that I use.

> Just to be safe, the attacker will probably poison the directory
> caches of one or two of the routers between you and your services a
> little bit ahead of time. (Then cover his/her tracks with a second
> poisoning when finished.)
> 
> heh. Don't get too paranoid, you probably don't have anything valuable
> enough to become bait for that kind of attack. The attacker's time is
> money, too.
> 
Quite!  :-)   I've not seen any evidence of attacks over the several
years I've had my system set up like this.


> Unless you are making yourself the target of an attacker with deep
> pockets, like governments and drug cartels.
> 
> Yeah, the IP restrictions are good. We just have to remember they
> aren't perfect.
> 
Nothing's perfect, not being connected to the internet is
probably the only really effective way.

-- 
Chris Green

More information about the ubuntu-users mailing list