OT: Dealing with a hosting company with it's head up it's rear end
Michael Sierchio
kudzu at tenebras.com
Thu Aug 13 19:13:26 UTC 2020
Unless they are completely clueless, that's easily detected. Although
there is evidence suggestive of them being clueless...
It is possible to enforce MFA with SSH in a number of ways. E.g.,
pam_google_authenticator
yubikeys with captive ssh private key + touch-to-sign required
etc.
On Thu, Aug 13, 2020 at 12:05 PM Jack L. <xxjack12xx at gmail.com> wrote:
>
> Just change the ssh/rdp ports?
>
> On Thu, Aug 13, 2020 at 11:59 AM Aryeh Friedman
> <aryeh.friedman at gmail.com> wrote:
> >
> > Forgot to ask how common is such idiocy? And is it becoming more
common?
> >
> > On Thu, Aug 13, 2020 at 2:56 PM Aryeh Friedman <aryeh.friedman at gmail.com
>
> > wrote:
> >
> > > The hosting company for one of our clients sent the following reply to
> > > us/them when we asked them to setup end user accounts on a dedicated
> > > Windows Server, FreeBSD box and CentOS box (all VM's on the same
physical
> > > machine with no other VM's on the physical machine) and being told we
> > > needed scriptable access (not web based non-scriptable) to the windows
> > > desktop and shell accounts (including the ability to sudo) and they
agreed
> > > to provide it:
> > >
> > > "[Insert client name here], we do not allow RDP or SSH into our
> > > datacenter. They are the primary vehicles for ransomware and
cryptolocker
> > > breaches. We utilize a secure access portal with multi-factor
> > > authentication to ensure you don't get breached."
> > >
> > > I kind of understand RDP (but we have had bad luck with VNC on the
same
> > > hosting provider in the past so we prefer RDP), but SSH!?!?!?!?!
Their
> > > idea of a "two factor" authentication is each connection will only be
> > > allowed via a web portal and must use a one-time password sent the
users
> > > smartphone. Not only does this make automated deploy impossible it
is a
> > > complete show stopper since our service is IoT and uses its own custom
> > > protocol.
> > >
> > > So how do we/the client tell the hosting company they are full of sh*t
> > > (the client has a 3 year contract with a pay in full to break clause
with
> > > them which would be over $100k to break)
> > >
> > > --
> > > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
> > >
> >
> >
> > --
> > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "
freebsd-questions-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
freebsd-questions-unsubscribe at freebsd.org"
--
"Well," Brahmā said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent person requires only two thousand five hundred."
- The Mahābhārata
More information about the freebsd-questions
mailing list