Unsolved Fairly Hardened Jump Box

stacksofplates

So I'm putting together a jump box that will be fairly hardened. Here's my plan:

• Small set of users (2-3)
• Cannot SSH in as Root (must have console access)
• Cannot SSH in as wheel members (must have console access)
• Non-wheel users cannot su to another name
• Keys are required along with long password and OTP to get into system
• Kerberos tickers are required to SSH to other systems from the jump box.
• Fail2ban (or similar) enabled
• Higher SSH port (just to mitigate spam bots for logging)
• Possibly port knocking
• Will meet SCAP requirements.

Key exchange will be curve25519-sha256 or diffie-hellman-group-exchange-sha256
Ciphers - chacha20-poly1305, aes256-gcm, aes128-gcm, aes256-ctr, aes192-ctr, aes128-ctr
MACs - hmac-sha2-512-etm, hmac-sha2-256-etm, hmac-ripemd160-etm, umac-128-etm, hmac-sha2-512, hmac-sha2-256, hmac-ripemd160, umac-128

Any other ideas?

stacksofplates

Also testing that ask as a question is back.

Dashrender

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

coliver

@Dashrender said in Fairly Hardened Jump Box:

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

Keys and passwords are basically the same thing. A key is just a really long password.

scottalanmiller

@coliver said in Fairly Hardened Jump Box:

@Dashrender said in Fairly Hardened Jump Box:

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

Keys and passwords are basically the same thing. A key is just a really long password.

But a password locked key is kind of different. Because it's two factor, a password you have AND one that you know. In some form, ALL forms of authentication are passwords. That's all a one time pin is, that's all biometric is, etc.

stacksofplates

@coliver said in Fairly Hardened Jump Box:

@Dashrender said in Fairly Hardened Jump Box:

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

Keys and passwords are basically the same thing. A key is just a really long password.

Kind of. Normal SSH passwords are sent encrypted to the server to verify. Keys are challenge-response so it's never sent at all. But it is like a 1645 character string.

stacksofplates

@scottalanmiller said in Fairly Hardened Jump Box:

@coliver said in Fairly Hardened Jump Box:

@Dashrender said in Fairly Hardened Jump Box:

@stacksofplates said in Fairly Hardened Jump Box:

Keys are required along with long password and OTP to get into system

And? So you're requiring Keys, a long password and One Time Passwords? Are you trying to protect the nuclear football?

I thought Scott normally stopped at using only keys? or was it keys and passwords.

I know he also recently setup Two Factor Authentication with Google Authenticator.

Keys and passwords are basically the same thing. A key is just a really long password.

But a password locked key is kind of different. Because it's two factor, a password you have AND one that you know. In some form, ALL forms of authentication are passwords. That's all a one time pin is, that's all biometric is, etc.

I guess I should have explained better. The key will be encrypted, but SSH will require the key and the system password also. So if you don't have the key it won't prompt you at all, but with the key then you enter your system password + the OTP.