[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 01:15:57 UTC 2015
Warren Young <wyml at etr-usa.com>

On Jul 28, 2015, at 5:17 PM, Chris Murphy <lists at colorremedies.com> wrote:
> On Tue, Jul 28, 2015 at 4:34 PM, Warren Young <wyml at etr-usa.com> wrote:
>> But as I have repeatedly pointed out here, the stock rules really are not that onerous.  They basically encode best practices established 20 years ago.
> In order to protect a system that's Internet facing with
> challengeresponseauth (rather than PKA)

In the context of SSH, challenge/response authentication generally means things like OTP fobs and smart cards.  It is not a synonym for password auth, it is an alternative to it.

Some definitions of C/R do include password auth under the same umbrella, but SSH uses the term in a more narrow sense, where it means any system where the actual credentials do not cross the wire, only a trapdoor response from which you cannot reverse-engineer the credentials.  In that sense, PKA is also a form of C/R auth, though the OpenSSH docs don’t use the term that way.

> the minimum password quality
> would need to be at least initially onerous.

Not true.  CentOS 7 limits SSH password guesses to about 50 per second, and then only if you can rope 100 attackers together to go after a single account.  A random 9-character password will withstand about a million years of such pounding.

You only need to go beyond that when you’re trying to fend off offline attacks, such as clusters of GPU number crunchers tearing through /etc/shadow.

> Whereas if things are properly configured such that ssh is only used internally

I don’t have the luxury of setting such a boundary.  I must access remote systems via SSH all the time to do my job.

If your alternative is a VPN, all you’ve done is shift the burden, since that is equivalent to PSK and strong passwords in SSH.  In fact, properly configured, SSH is a form of VPN.