Ned Slider ned@unixmail.co.uk wrote:
I don't think anyone is suggesting running SSH on a non-standard port as a sole means of defence <<
I should hope not, but the point does bear making.
We should also remember that public/private key authentication is only secure as the host the private key is stored on when keys without passphrases are employed (all too common where users don't want to trade using a password for a passphrase). <<
Another good point. This is why I strongly recommend the use of ssh-agent (or Pageant for those with a Windows desktop) as a mechanism for minimising the inconvenience of constant prompting for a strong key passphrase. Of course, this has to be coupled with awareness of the need to lock the workstation or unload the keys when leaving the desk.
The other piece of the puzzle is agent forwarding, so that I only need to keep a private key on my workstation, even when logging in to a gateway machine and then to a server beyond it. They private key file is always under my local physical control - in fact, the truly paranoid can keep their private keys on a USB device or a smartcard.
Using this approach, I can sit at my university office desk, provide a passphrase once when loading a key into the ssh agent, and then connect through firewalls to machines in my home office, with no further prompting or inconvenience and very low probability of the private key being compromised.
Best,
--- Les Bell, RHCE, CISSP [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909