[CentOS] Security advice, please

Warren Young warren at etr-usa.com
Fri Dec 26 21:18:27 UTC 2008


jkinz at kinz.org wrote:
> 
> Hi Warren, Nice explanation.

Thanks!

> I would like to ask what you
> recommend people do if they want to be able to ssh in from 
> anywhere on the internet. Say they are going to be traveling and
> they know they will have to login from machines they have no
> control over, like an internet cafe or a Hotel's business
> services suite? 

Much of what I have to say on this has been said by others here already, 
but since you asked me, I'll repeat it.

You cannot trust hardware that's been in anyone else's hands.  A 
compromised computer can be made to do *anything*.  Furthermore, 
technology exists to make it extremely difficult to tell whether it has 
been compromised.  Therefore, you must carry hardware you control, and 
that hardware must be resistant to attack.  Whether it's a hacked-up 
Palm III running uC Linux or a MacBook Air, you must be in control of 
it, top-to-bottom, if you are going to trust it with the keys it needs 
to get into your home from the outside.  If you can't trust the 
hardware, don't give it the keys.

Whatever portable system you choose, the key store must be strongly 
encrypted, or you must use a strong password on the individual keys. 
Again, this is the key to your home.  If the hardware gets stolen, you 
want those keys to be unusable.  Ideally, you want stolen hardware to be 
virtually worthless until reformatted.

I have two portable systems that I trust enough to give them the keys to 
my home system.

My primary portable is a MacBook Pro with the home directory encrypted 
with OS X's FileVault feature.  This is AES encryption, keyed with my 
login password, which is suitably strong.  Since my entire home 
directory is encrypted, I don't bother to use passwords on the ssh keys 
I keep on that system.  (I also use secure virtual memory on this 
system, for what that's worth.)

The other portable is a little Asus Eee 701, reformatted to run Ubuntu 
Eee.  (Since renamed Easy Peasy...wince...)  I haven't yet got it doing 
full disk encryption, so I password-protect its ssh key.


More information about the CentOS mailing list