OTP in 5 minutes? I think it would take at least 10 to explain how they work ...
In this case. If only servers are "in-play" then the keys are secure
on the laptops "out-of-play".
Yeah I'm splitting hairs, but rules are rules :-)
And the instructor (not me) who's running this mis-heard the
require
And ... the Linux is Red Hat.
On Wed, Feb 3, 2010 at 6:43 AM, Joseph Kern wrote:
> OTP in 5 minutes? I think it would take at least 10 to explain how they work
> ...
> In this case. If only servers are "in-play" then the keys are secure
> on the laptops "out-of-play".
> Yeah I'm splitting hairs,
Thanks everyone! I sent the checklist off to the team. With a little
"something" extra for the attackers :-)
LOSPA-NJ members see you tomorrow.
--Joseph Kern
On Wed, Feb 3, 2010 at 11:04 AM, Joseph Kern wrote:
> And ... the Linux is Red Hat.
>
> On Wed, Feb 3, 2010 at 6:43 AM, Joseph Kern wrot
wups, missed the cut-off but I'm surprised that nobody mentioned installing
mod_security into Apache and at least enabling the inbuilt chroot
functionality.
-s
On Tue, Feb 2, 2010 at 9:14 AM, Joseph Kern wrote:
> Here's what I got so far ... suggestions?
>
> On Tue, Feb 2, 2010 at 8:21 AM, Edwa
On Tue, Feb 02, 2010 at 09:06:09PM -0500, Edward Ned Harvey spake thusly:
> Why is it so common to jump to the conclusion that keys-only-ssh is
> more secure than passwords?
Because then you can't get in even if you have the password (but
nothing else)?
> I somewhat or sometimes disagree with thi
Tracy Reed wrote:
>> The proper way to do it (Plan A) is to use keys only, but ensure
>> your keys are themselves protected by password.
>
> Ensure how? I think making it clear that creating an unencrypted key
> is a firing offense is good enough but others disagree and insist on
> technical measu
It used to be that forcing SSH keys was enough to thwart most
intrusions from getting your creds. Unfortunately now most of the
root-kits know how to steal a passphrase just as easily as a password.
If it's not a root kit, it's a completely trojaned ssh and sshd installed
on the machine. Either
Tracy Reed writes:
> I do a lot of PCI security work these days. I have a good book on PCI
> security (I don't recall the name at the moment and don't have it on
> hand) which explicitly says that encrypted ssh keys (key plus
> password) counts as two factor authentication for the purposes of
> P
On Wed, Feb 03, 2010 at 05:39:40PM -0500, seph spake thusly:
> When I asked my auditor about this, their opinion was that though ssh
> keys with a good passphrase can count on 2 factors, it fairly hard to
> enforce the mandated password requirements on ssh keys. So they don't
> think they'll meet t
Tracy Reed writes:
> I really want to avoid having to purchase proprietary SecureID
> tokens. Anyone have reasonably priced PKI tokens they are using that
> work well with Linux?
My auditor mentioned that openvpn can meet the 2 factor requirement. It
can be configured to use a distributed cert a
seph wrote:
> Tracy Reed writes:
>
>> I really want to avoid having to purchase proprietary SecureID
>> tokens. Anyone have reasonably priced PKI tokens they are using that
>> work well with Linux?
>
> My auditor mentioned that openvpn can meet the 2 factor requirement. It
> can be configured to
On Thu, 4 Feb 2010, Tracy Reed wrote:
> I really want to avoid having to purchase proprietary SecureID
> tokens. Anyone have reasonably priced PKI tokens they are using that
> work well with Linux?
Check out the Yubikey products
http://www.yubico.com/products/yubikey/
later,
chris
_
On Wed, Feb 03, 2010 at 07:46:28PM -0500, Chris Ricker spake thusly:
> Check out the Yubikey products
>
> http://www.yubico.com/products/yubikey/
This looks very cool. I have been looking for something like this for
quite a while. It seems very Linux friendly in that it just emulates a
keyboard a
it's not a big breakthrough, it's just that tokens have been low-volume
devices purchased by entitied who care a lot about security and so are
less sensitive to pricing.
David LangOn Wed, Feb 03, 2010 at 07:46:28PM -0500, Chris Ricker spake thusly:
> Check out the Yubikey products
>
> http://w
> Assuming this is all that it is cracked up to be why wasn't this done
> ages ago? Was there some technology or manufacturing breakthrough that
> enabled this? Why did so many have to tolerate the very expensive and
> proprietary SecureID tokens for so long?
I think it's the same reason why peopl
15 matches
Mail list logo
