Re: [Savannah-hackers-public] Re: [gnu.org #670138] colonialone.fsf.org Dom0 upgrade

[Jim Meyering]

Michael J. Flickinger wrote:
> Jim Meyering wrote:
>> Bernie Innocenti wrote:
>>> On Tue, 2011-02-22 at 00:22 +0100, Jim Meyering wrote:
>>>
>>>> [...]
>>>>
>>>> Wrong comparison.
>>>> Compare using fwknop-and-alt-ssh-port to agent-fwd-through-fencepost.
>>>> The former is more secure.
>>> Ok, I'd like to propose an entirely different solution: we already
>>
>> Why?
>> Isn't IP restrictions + (fwknop-and-alt-ssh-port|fencepost-for-a-few)
>> simple and effective enough?
>
> I think this solution actually makes more sense than
> "fwknop-and-alt-ssh-port."  As Bernie mentioned, part of the reason
> this would help is because there's more than one machine in scope
> here.  Not to mention, that openvpn would provide a logged single
> point of entry, which, of course, would still require ssh to actually
> access the machines.

If it works better for you guys (setting up and maintaining), that's
what counts.  There's probably not that much difference in actual
vulnerability.  Though its use of conventional passwords is definitely a
weak point.  Have you considered using a single-use key (s-key/opie-like)
approach, so that even if someone watches me type my openvpn "password",
it's only a one-time key, and thus not useful to them?