[OpenIndiana-discuss] How to manage a send over ssh
Timothy Coalson
tsc5yc at mst.edu
Thu Mar 23 23:49:42 UTC 2017
On Thu, Mar 23, 2017 at 6:19 PM, jason matthews <jason at broken.net> wrote:
>
>
> On 3/23/17 2:56 PM, Timothy Coalson wrote:
>
>> The main advantage with this way is that you don't leave root ssh exposed
>> for people to try to break into, and the special user for receiving can't
>> get higher privileges for anything other than "zfs".
>>
>
> With the notable exception that your unprivileged user can destroy your
> file systems :)
>
Well, yes, but fumble-fingering "pfexec zfs destroy -r <pool>/<filesystem>"
as this user (and there being no holds on any snapshots) is less likely
than fumble-fingering "rm -rf /" as root - not everything is about security
from attackers ;)
The main security feature is that the username is of your choosing, and not
"root", while attempting ssh as "root" is a classic of casual attacks (and
why it is disabled by default in the first place). This machine is behind
a firewall anyway (it serves NFSv3, after all), or I would be taking more
extreme measures...
> if you are worried about someone brute forcing your password use a strong
> password (at least 13 but i like 20 characters with normal entropy
> techniques).
> edit /etc/security/policy.conf
> find the line that reads CRYPT_DEFAULT= and set the value to 2a -- this
> will set the hash to Blowfish
> optionally edit /etc/security/crypt.conf and edit the 2a line to read:
> 2a crypt_bsdf.so.1 rounds=16
>
> You could use more rounds but this will increase the time it takes to
> validate the password. The upside is this should pretty much eliminate the
> possibility of someone cracking your passwords. Remember this, if it takes
> less than one second to login (on an idle system) whether it be shell or
> web, your passwords can probably be cracked easily. These settings should
> significantly reduce the chance of some GPU coming along and cracking your
> passwords. Blowfish cannot be implemented well on current GPUs.
>
> When you are done, your hash should look something like this:
> jason:$2a$16$2ynmKaAAnKZYWLF8umslZeHjkVIX6iDLsx345k59rVkBF/
> 8zWdCqO:17248::::::
>
> If someone can crack this hash I will buy you a beer.
>
There's some logic to why the shadow file isn't world-readable. You might
want to reset that password soon anyway (if you haven't already), as the
NSA may decide not to ask for that beer ;)
> The the three characters of the hash identify it as blowfish, $2a, the
> next sequence $16, indicates i have configured sixteen rounds. I timed this
> so I happen to know it took seven CPU seconds to hash the password. Seven
> seconds should severely put a dent in the aspirations of anyone wanting to
> crack your shadow file.
>
> j.
>
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list