[tor-relays] List of Relays' Available SSH Auth Methods
Libertas
libertas at mykolab.com
Tue Nov 18 18:44:55 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tor nodes, particularly Tor exit nodes, are high risk targets.
Also, the key is accessed from your ~/.ssh directory automatically, so
it's actually easier than password auth. Just give the SSH command and
you're in!
On 11/18/2014 01:41 PM, Kevin de Bie wrote:
> You could also just want on the spot access to your box without
> needing some key. I personally believe a proper un/pw combination
> used in conjunction with fail2ban is sufficiently secure for pretty
> much anything that is not a high risk target.
>
>
> Op 19:10 di 18 nov. 2014 schreef Dan Rogers
> <dan at holdingitwrong.com <mailto:dan at holdingitwrong.com>>:
>
>
>
> IMO there could occasionally be reasons not to use key logins
> (although I do normally disable pwd login). E.g. if I have a key,
> I then have evidence somewhere (USB/HD), whereas a secure password
> can be kept only in my head (until they waterboard me). Especially
> in countries (e.g. the UK) that can force you to hand over
> encryption keys. I'd rather have an insecure Tor node than get
> arrested (although tbh with fail2ban installed I don't think pwd
> bruteforcing is a threat).
>
>
>
>
> On 18/11/14 17:46, Jeroen Massar wrote:
>> On 2014-11-18 18:38, Kevin de Bie wrote:
>>> Fail2Ban works really well. Shifting to a non standard port
>>> only stops the scriptkids from having too much automated
>>> options and does not do anything for actual security. For this
>>> reason I personally never bothered with that. Non standard
>>> username and password auth with fail2ban makes brute forcing
>>> practically impossible, this is usually how I have things
>>> configured.
>> Just changing it to key-based authentication stops ALL
>> password-guessing attacks.
>>
>> You will then be left with the logs though.
>>
>>
>> Hence lets make a little list for clarity in order of "should at
>> least do":
>>
>> - Use SSH Authentication - Disable Password Authentication - Use
>> Fail2ban - Restrict on IP address (no need for fail2ban then)
>>
>> Greets, Jeroen
>>
>> _______________________________________________ tor-relays
>> mailing list tor-relays at lists.torproject.org
>> <mailto:tor-relays at lists.torproject.org>
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
> -- Dan Rogers +44 7539 552349 skype: dan.j.rogers gpg key
> <https://secure.techwang.com/gpg/public_key.txt> linkedin
> <http://www.linkedin.com/in/danrogerslondon> | twitter
> <http://twitter.com/danjrog> | spotify
> <http://open.spotify.com/user/bonkbonkonk> | music
> <http://holdingitwrong.com>
> _________________________________________________ tor-relays
> mailing list tor-relays at lists.torproject.__org
> <mailto:tor-relays at lists.torproject.org>
> https://lists.torproject.org/__cgi-bin/mailman/listinfo/tor-__relays
>
>
<https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>
>
>
>
> _______________________________________________ tor-relays mailing
> list tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUa5OnAAoJELxHvGCsI27N404P/A3IdIuKxPfwi7rGCZPVJEby
yqqqZLsp3u9ilyaDDf/h03nNeM0Qo0aBEkzIBzeOa0JC7ot4JJ3oBdy5YrukX+xI
iyX9Z723WvBac6AYd2NkYQHuRoqJLIG6ji6LPN91xpDVT0lwV05cOtsBbuKwZ/kg
1haIoenyn+WqJHSwyW7d1GITyrRUM+s/I/D1u18IX3ZFsgSVnASHKcdUQx/UpOnv
Hmb/GASmo6ceAGScm7dlxzfFsoOPdkm6YUS01Gh9NaxIpRQb6/vhYX7wkdxu71Zz
kZt2X5xNb3XhtT3/zB02sNCB1wIskcwAj6fZNxhgN3ml2/skkVhxn4bp0OQXTIGo
R95iOD970/65QeaM1JY+wRQcCGuRLwdUPB09TrIeq7QSeP+g5kiXu8KUclrpB5yj
0wKnukC/3r5qUW+QFBuVUcBDIREqTdrqBNkB2wl8e9SPw45Rld/shjCYGrPBrzTw
kuujuez0AuCfUFjHsp1rZ8qTTBlEqzZIMwFX0aSVeutTOeTh2Rvbvqxg1oDKRunr
yrxGyjb+4kPsC44thj0pOMKAqCetLi1Pxqw0N0oEC1FTICpm86Tu/S3ESC3LsiHd
RvZ0U99GYWWIBIAiMpJLumz501oq0AkvWLfpSGDpC3J93zzZsXVtQpOSJlHWKXxL
SV/P5+BWY45pm5LXtup+
=qyxb
-----END PGP SIGNATURE-----
More information about the tor-relays
mailing list