Passwordless login only
Never understood this
I don't think that anyone or anyrhing, computer or mentalist, will guess my 40+ characters long password
Comment on How to Setup a Secure Ubuntu Home Server: A Complete Guide
martinb@lemmy.sdf.org 1 day agoPasswordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
StrixUralensis@tarte.nuage-libre.fr 1 day ago
non_burglar@lemmy.world 1 day ago
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
StrixUralensis@tarte.nuage-libre.fr 1 day ago
Oh I see, ty !
etchinghillside@reddthat.com 1 day ago
Are you setting and managing other’s passwords?
surph_ninja@lemmy.world 1 day ago
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
truthfultemporarily@feddit.org 1 day ago
The idea behind keys is always, that keys can be rotated. Vast majority of websites to that, you send the password once, then you get a rotating token for auth.
Most people don’t do that, but you can sign ssh keys with pki and use that as auth.
Cryptographically speaking, getting your PW onto a system means you have to copy the hash over. Hashing is not encryption. With keys, you are copying over the public key, which is not secret. Especially managing many SSH keys, you can just store them in a repo no problem, really shouldn’t do that with password hashes.
Botzo@lemmy.world 1 day ago
We can go harder: port knock to open the port to a cert-only VPN:
wiki.archlinux.org/title/Port_knocking
martinb@lemmy.sdf.org 1 day ago
Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
Botzo@lemmy.world 1 day ago
Totally.
Port knocking is one of those “of course someone did that” things to me too. A replay attack is enough to make it security theater.
An IP allowlist is a more useful addon.