Linked by Igor Ljubuncic on Mon 2nd Apr 2012 15:41 UTC
Features, Office You have just bought tickets to an exotic vacation spot. You board the flight, you land safely, you pull your netbook from your backpack, fire it up, and then check if there are any available Wireless networks. Indeed there are, unencrypted, passwordless, waiting for you. So you connect to the most convenient hotspot and start surfing. Being addicted as you are, you want to login into your email or social network just to check if something cardinal happened in the world during your four-hour flight. You're about to hit the sign in button. Stop. What you're about to do might not be safe.
Thread beginning with comment 512818
To view parent comment, click here.
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

"SSH should be setup to not allow root logins: PermitRootLogin no (I have no idea why this still isn't the default)"

Being able to rsync over SSH as root can be very convenient since rsync via user accounts doesn't preserve ownership. Do you know of an alternative?


"And a non-security tip: to speed up SSH-login I also disable DNS, which could really help if 'reverse DNS' is broken or slow:
UseDNS no"

Also removing / disabling the following feature can eliminate a few second delay that happens on every single login (disable it in the server or client). It won't affect anyone using password and/or RSA authentication.

GSSAPIAuthentication yes

I honestly don't know why it's always so slow even on fresh installs, but LOG_LEVEL Debug confirms it's the culprit. Don't know if it's a bug or if it's normal, but the following indicates it's been a problem since 2007.

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/84899

Edited 2012-04-04 13:50 UTC

Reply Parent Score: 2

rhavenn Member since:
2006-05-12

"SSH should be setup to not allow root logins: PermitRootLogin no (I have no idea why this still isn't the default)"

Being able to rsync over SSH as root can be very convenient since rsync via user accounts doesn't preserve ownership. Do you know of an alternative?


Yes, use: without-password for the PermitRootLogin and passwords will be disabled, but you can use keys. Your rsync is most likely setup with keys anyway that don't have passwords set for them, if it's a automated type of solution.

Reply Parent Score: 1

Lennie Member since:
2007-09-22

GSSAPI is Kerberos authentication, I think it only causes problems when you install the libraries you need for Kerberos authentication but don't actually configure it.

Reply Parent Score: 2

Alfman Member since:
2011-01-28

Lennie,

"GSSAPI is Kerberos authentication, I think it only causes problems when you install the libraries you need for Kerberos authentication but don't actually configure it."

That's possible, however like everyone else in the earlier linked thread I wonder why a distro would come prepackaged that way considering the annoyance it causes the majority of users. Or why they don't fix the source of the delay in kerberos itself. Unless it's a deliberate connection throttling mechanism?

Just now I looked for kerberos packages and lib files, but I don't see anything installed. Granted I don't know what I'm looking for, but disabling it works well enough.

Reply Parent Score: 2