Passwordless login only
Never understood this
I don't think that anyone or anyrhing, computer or mentalist, will guess my 40+ characters long password
Comment on [deleted]
martinb@lemmy.sdf.org 3 weeks agoPasswordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
StrixUralensis@tarte.nuage-libre.fr 3 weeks ago
non_burglar@lemmy.world 3 weeks ago
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
StrixUralensis@tarte.nuage-libre.fr 3 weeks ago
Oh I see, ty !
etchinghillside@reddthat.com 3 weeks ago
Are you setting and managing other’s passwords?
surph_ninja@lemmy.world 3 weeks ago
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
truthfultemporarily@feddit.org 3 weeks ago
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Botzo@lemmy.world 3 weeks ago
We can go harder: port knock to open the port to a cert-only VPN:
wiki.archlinux.org/title/Port_knocking
martinb@lemmy.sdf.org 3 weeks ago
Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
Botzo@lemmy.world 3 weeks ago
Totally.
Port knocking is one of those “of course someone did that” things to me too. A replay attack is enough to make it security theater.
An IP allowlist is a more useful addon.