dhis2-users team mailing list archive

Thread
Date

Re: Secure remote access

To: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
From: Lars Kristian Roland <lars@xxxxxxxxx>
Date: Fri, 9 Mar 2012 14:31:57 +0100
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CACd=f9fKKM85pTEj=RhNWSYXdidBCGYnsh-oN9AunFcghn5kDA@mail.gmail.com>

I mean keys when I say certificate. I believe they're used interchangeably,
but that might be incorrect. Thanks for your clarification.

However, I think it's an important point that the key should be protected
by a passphrase. If someone breaks into the PC where the private key is
stored and they can use that without a passphrase to log into DHIS, it
creates a network of possible failures that is hackable. I doubt everyone
has the same security policy on their local machine as they should have on
the state DHIS server, so a key without a passphrase would be dangerous
(please let me know if you disagree). I guess alternatively it's possible
to still have a password on a server and require both a password and a ssh
key? This might be even safer.

Lars

2012/3/9 Bob Jolliffe <bobjolliffe@xxxxxxxxx>

> On 9 March 2012 11:52, Jason Pickering <jason.p.pickering@xxxxxxxxx>
> wrote:
> >>
> >> I'd use HTTPS/SSL for web access and definitely use SSH (preferably
> using
> >> both certificates and passwords) for server access (for people
> administering
> >> the linux installations).
> >>
> >
> > SSH is a must. I would also move it to a non-standard port, and
> > disable remote access with passwords, and disable the root user from
> > being able to login over SSH. You will still get a lot of bot attacks,
> > but using certificates (with a password) will greatly increase the
> > security of the server.
>
> what certificates?  I just use my public and private key combination
> ie. copy my public key into ~/ssh/authorized_keys on the server.
>
> Disabling remote access with passwords is really important, but
> sometimes it takes a bit of time getting people used to using keys.
> Worth the effort though.  Don't lose the keys.
>
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~dhis2-users
> > Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> > Unsubscribe : https://launchpad.net/~dhis2-users
> > More help   : https://help.launchpad.net/ListHelp
>

-- 
Lars Kristian Roland
Research Fellow, Department of Informatics, University of Oslo
Email: lars@xxxxxxxxx - roland@xxxxxxxxxx
Phone: +47 90733036

References

Secure remote access
From: Mark Spohr, 2012-03-09
Re: Secure remote access
From: Jason Pickering, 2012-03-09
Re: Secure remote access
From: Mark Spohr, 2012-03-09
Re: Secure remote access
From: Jason Pickering, 2012-03-09
Re: Secure remote access
From: Lars Kristian Roland, 2012-03-09
Re: Secure remote access
From: Jason Pickering, 2012-03-09
Re: Secure remote access
From: Bob Jolliffe, 2012-03-09