2014-01-31 Scott Ferguson <scott.ferguson.debian.u...@gmail.com>: > On 31/01/14 15:29, Raffaele Morelli wrote: > > > > > > > > 2014-01-30 Brian <a...@cityscape.co.uk <mailto:a...@cityscape.co.uk>>: > > > > On Thu 30 Jan 2014 at 18:53:11 +0100, Denis Witt wrote: > > > > > On Tue, 28 Jan 2014 18:42:34 +0000 > > > Brian <a...@cityscape.co.uk <mailto:a...@cityscape.co.uk>> wrote: > > > > > > > The AllowUsers directive is a legitimate way to restrict ssh > > logins to > > > > certain users. However, I do not see what (ssh keys + AllowUsers) > > > > brings to the party that (password + AllowUsers) doesn't. > > > > > > A key (if kept secret) is even harder to "guess" than a > > > password, > > > > I'd like to see a complex, random, high-entropy 20 character password > > which is guessable (or capable of being cracked) in a timeframe which > > has some significance. I'll give you "even harder" but it is of no > great > > consequence if you consider the situation where an online subversion > of > > a user's account is being attempted and a good password is in place. > > > > > > I'd like to see someone who use such 20 character password for everyday > > tasks. > > It's not only common (in some industry sectors 12 *random* characters > regularly changed and never repeated is mandated), it's good security. > Despite what some will advise entropy is the measure of exhaustion - > resulting from *brute* force attacks. 50% of the time a brute force will > only require half the entropy to succeed. Due to human bias (failure to > use random passwords and *password* *managers*) the majority of the time > passwords that exceed 8 characters will be composed solely of words, and > brute force difficulty != dictionary attack difficulty (see Niquist and > Shannon). A significant percentage of the time those word based > passwords will be a phrase... with even lower attack difficulty.
Agree but this is not my point in the thread. It's bad habit to split a comment into little pieces losing the whole point. I've suggested the use of private key authentication and AllowUsers directive in sshd. Brian argued that a private key+allowusers does not improve security with respect to passwords+allowusers. I use private key authentication with a 21 characters passphrase which is at minimum more secure than a 21 characters password and unless someone kidnaps and tortures me for the passphrase and stoles one of my boxes for the private key I wonder who can prove it is not. C'mon, what's the matter with private key authentication and the OP request?
