FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-27-2011, 06:39 AM
Nico Kadel-Garcia
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, Jan 27, 2011 at 2:03 AM, Indunil Jayasooriya
<indunil75@gmail.com> wrote:
>
>
> On Thu, Jan 27, 2011 at 12:15 PM, Always Learning <centos@g7.u22.net> wrote:
>>
>> Hallo,
>>
>> I wanted to avoid typing-in my password every occasion I remotely
>> logged-on to a server.
>
>
>
> you expect Passwordless SSH. If so,
>
>
> On your PC
>
> # ssh-keygen -t rsa****** ( passphrase should be empty )

NO!!! NO!!! NO!!! NO!!!

I'm sorry, but this is a far too comon and very, very bad practice.
You may as well tape a Post-It note with your password on it under
your keyboard, because anyone who can get this un-passphrase protected
key will be able to automatically log in as you.
The normal approach is to investigate how to use ssh-agent to store
your unlocked key in an active session, not use a passphrase-less key.
The "keychain" utiliti is very handy for just this purpose, and it's
available in the RPMforge repositories for RHEL 5 and CentOS 5.

Far too many people say "but you have to trust your own machine!!!"
and leave these passphrase-less keys lying around, and they're a
popular vulnerability for crackers to steal if they can gain *any*
access to your systems. It's particularly bad in environments that use
NFS and allow local hosts to be run by local users: any such local
admin can then "su" to become other users and access their private
keys.

Also, there's a stack of reasons that DSA is preferred to RSA for SSH
keys these days. When you generate your private keys, use "ssh-keygen
-t dsa", not rsa.

> Generating public/private rsa key pair.
> Enter file in which to save the key (/root/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
>
> then,
>
> # cd /root/.ssh/
>
> Pls scp id_rsa.pub to the Server
>
> # scp id_rsa.pub root@server:/root/.ssh/authorized_keys

Wrong again. Never use public key access for root accounts, it simply
compounds the security risks. Passphrase protected SSH keys can be
used, reasonably, for account access on other hosts, but should be
avoided for root access. If you *HAVE* to use an SSH key for root, for
example for "rsync" based backup operations, use rssh to restrict its
operations or designate a permitted command associated with that key
in the target's authorized_keys.
>
> then, finally ssh to the server from your PC. it would be passwordless.
> pls see below

Sadly, this will *work*, but so does tying your car keys to your car
door so you don't lose them. It's a security issue.

Please, read the manual pages on "ssh-agent" which was designed and
built into SSH deployments for just such use.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 06:46 AM
Nico Kadel-Garcia
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, Jan 27, 2011 at 2:35 AM, Cameron Kerr <cameron@humbledown.org> wrote:
>
> On 27/01/2011, at 7:45 PM, Always Learning wrote:
>
>> Hallo,
>>
>> I wanted to avoid typing-in my password every occasion I remotely
>> logged-on to a server.
>>
>> I created my SSH keys and copied the public part to the server and
>> renamed it authorized_keys.
>
>
>> ---------------------------------------------
>>
>> server /root/.ssh
>>
>> id_rsa.authorized_keys *-rw--------
>>
>> --------------------------------------------
>
> Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)

No, 0600 is *fine* In fact that is the recommended permission from the
man page for "ssh". OpenSSH does a bit of UID and EUID manipulation to
gain permissions to examine that file as the user whose login is being
attempted, precisely to deal with NFS mounted home directories which
do not allow "root" direct access to protected files.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 06:48 AM
Nico Kadel-Garcia
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, Jan 27, 2011 at 2:46 AM, Nico Kadel-Garcia <nkadel@gmail.com> wrote:
> On Thu, Jan 27, 2011 at 2:35 AM, Cameron Kerr <cameron@humbledown.org> wrote:
>>
>> On 27/01/2011, at 7:45 PM, Always Learning wrote:
>>
>>> Hallo,
>>>
>>> I wanted to avoid typing-in my password every occasion I remotely
>>> logged-on to a server.
>>>
>>> I created my SSH keys and copied the public part to the server and
>>> renamed it authorized_keys.
>>
>>
>>> ---------------------------------------------
>>>
>>> server /root/.ssh
>>>
>>> id_rsa.authorized_keys *-rw--------
>>>
>>> --------------------------------------------
>>
>> Your ~/.ssh/authorized_keys needs to be readable by sshd, your permissions on it are too restrictive (typically, this should be 0644)
>
> No, 0600 is *fine* In fact that is the recommended permission from the
> man page for "ssh". OpenSSH does a bit of UID and EUID manipulation to
> gain permissions to examine that file as the user whose login is being
> attempted, precisely to deal with NFS mounted home directories which
> do not allow "root" direct access to protected files.

But, the name of the file with a copy of your public key should be
$HOME/.ssh/authorized_keys. And the permissions of $HOME/.ssh should
be 0700.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 06:59 AM
John Hodrien
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, 27 Jan 2011, Nico Kadel-Garcia wrote:

> Wrong again. Never use public key access for root accounts, it simply
> compounds the security risks. Passphrase protected SSH keys can be
> used, reasonably, for account access on other hosts, but should be
> avoided for root access. If you *HAVE* to use an SSH key for root, for
> example for "rsync" based backup operations, use rssh to restrict its
> operations or designate a permitted command associated with that key
> in the target's authorized_keys.

Is this actually current doctrine for typical machines? I thought plenty of
people advocated restricting ssh to AllowRoot without-password. What exactly
is your security concern with having password protected key access to a
machine's root account?

I'll agree Using command= for things like rsync backups is definitely a good
idea, as it means you can put ssh keys on machines that only grant them single
command access.

jh
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 07:32 AM
James Bensley
 
Default SSH Automatic Log-on Failure - Centos 5.5

Hello all,


I've been reading this thread and have a question. I would like to set up passwordless ssh between two servers for some automated tasks but I don't like the paswordless key's option. How can I supply a passphrase when generating my keys but still have this process automated?



--James. (This email was sent from a mobile device)

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 07:48 AM
Cameron Kerr
 
Default SSH Automatic Log-on Failure - Centos 5.5

On 27/01/2011, at 9:32 PM, James Bensley wrote:
I've been reading this thread and have a question. I would like to set up passwordless ssh between two servers for some automated tasks but I don't like the paswordless key's option. How can I supply a passphrase when generating my keys but still have this process automated?

I think 'keychain' is often used for this. It's a bit like ssh-agent, in that you unlock the key manually (eg. just after starting the system), but it can be accessed by other programs later. I've never used it myself.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 07:50 AM
Cameron Kerr
 
Default SSH Automatic Log-on Failure - Centos 5.5

On 27/01/2011, at 8:48 PM, Nico Kadel-Garcia wrote:

> And the permissions of $HOME/.ssh should be 0700.

Ah, yes. My mistake, sorry.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 10:11 AM
James Bensley
 
Default SSH Automatic Log-on Failure - Centos 5.5

On 27 January 2011 08:48, Cameron Kerr <cameron@humbledown.org> wrote:
> I think 'keychain' is often used for this. It's a bit like ssh-agent, in
> that you unlock the key manually (eg. just after starting the system), but
> it can be accessed by other programs later. I've never used it myself.

Ah yes, I see thats what Nico also suggested.

Thanks you two, this is all up and working just great

--
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 10:40 AM
Stephen Harris
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, Jan 27, 2011 at 02:39:29AM -0500, Nico Kadel-Garcia wrote:
> Wrong again. Never use public key access for root accounts, it simply
> compounds the security risks. Passphrase protected SSH keys can be

That is 100% backwards. *NEVER* use password authentication for root
(passwords are easier to brute force 'cos people choose bad passwords).
Use ssh public key access for root, with appropriate restrictions
(eg "from=").

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-27-2011, 10:42 AM
Stephen Harris
 
Default SSH Automatic Log-on Failure - Centos 5.5

On Thu, Jan 27, 2011 at 12:33:31PM +0530, Indunil Jayasooriya wrote:
> # ssh-keygen -t rsa ( passphrase should be empty )

Don't use passphraseless keys unless you're using it for an automated
tool (eg rsync kicked off from cron). If this is for human interactive
work then learn how to use ssh-agent.

(If it's for programmatic use then also learn the from= and command= options
on the public key to restrict what the key can do)

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:12 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org