Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
RE: [suse-security] Allow MAC addresses through SuSEfirewall2
  • From: "Ness, Todd" <todd.ness@xxxxxxx>
  • Date: Mon, 7 Mar 2005 11:53:30 -0800
  • Message-id: <48E6557C29E9C645A74851DD40121F5401BACF40@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
I would look at 2 factor authentication as another option.
http://www.securecomputing.com/index.cfm?skey=1277 is one example of
this.

-----Original Message-----
From: Carlos E. R. [mailto:robin1.listas@xxxxxxxxxx]
Sent: Sunday, March 06, 2005 7:21 PM
To: SuSE Security List
Subject: RE: [suse-security] Allow MAC addresses through SuSEfirewall2


The Sunday 2005-03-06 at 14:18 -0000, Thomas Knight wrote:

> > There are settings in Yast (profesional version) to force users to
> > have "safer" passwords. I supposse the enterprise version has
similar settings.
> >
> > Also, you could set up ssh to not accept login/password entry, but
> > public key instead.
>
> I'm with you there.
> What I mean is if I use username/password they'll just save the
> password somewhere.

You can also force them to change the passwords every two weeks :-P

I remember once, while working for a certain important company (US based
multinational), we were issued passwords for accessing certain machines
(not exactly computers). A "boss" gave us big envelopes. Inside, there
was a sealed envelope (secret and confidential) and a booklet explaining
how to safely use passwords, how to choose them, how to keep them...
etc.
We had to sign and return a form as "read and understood". The sealed
envelope contained the passwords, of course. I'm unsure now if the
person that gave us the envelopes waited nearby till we returned the
forms while keeping an eye on us, but I think he did...

Sounds too paranoic? :-)

Actually, I saw more "paranoic" measures from them a few years later on.


> If they use PPK they'll "forget" to specify a passphrase for their
> private key, which is out of my control.

Yes, that's a thing I noticed recently. The sshd server can not force
the client to use a long passphrase, I understand.


> Hey, I'll log all access and they'll have limited privs. We do what we
can!

Yap :-)

>
> Ta for the thoughts,

Welcome.

--
Cheers,
Carlos Robinson

--
Check the headers for your unsubscription address For additional
commands, e-mail: suse-security-help@xxxxxxxx Security-related bug
reports go to security@xxxxxxx, not here


< Previous Next >
This Thread
  • No further messages