FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 06-19-2008, 09:01 PM
 
Default ssh?

I'm trying to make my system a little more secure but still allow it to be
accessed remotely from the internet using ssh and I'm looking for some
guidance. The systems in question are a Fedora 9 and a Fedora Core 6 system.

The first thing I did was on my workstation (that I ssh from) is create a
public/private key pair and installed the public key in
~/.ssh/authorized_keys2, and disabled the password authentication in the
/etc/ssh/sshd_config and everything so far works great.

My issue I came up with is one of the systems sits on my home network behind
a firewall, it would be nice if I can only require the public key for
systems not on my local network, eg only the systems on the internet must
be known. I guess telnet is an option since it is blocked at the firewall.

Next question/problem is, if I create an account for somebody to use when
connecting to the system, I must put their public key in their home
directory, can it be done the reverse? In other words can I provide them
a key for the system and if they don't have that key they can not connect
to the system.

Thanks, Jeff

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-19-2008, 09:14 PM
"Kevin J. Cummings"
 
Default ssh?

jeff@bubble.org wrote:

I'm trying to make my system a little more secure but still allow it to be
accessed remotely from the internet using ssh and I'm looking for some
guidance. The systems in question are a Fedora 9 and a Fedora Core 6 system.

The first thing I did was on my workstation (that I ssh from) is create a
public/private key pair and installed the public key in
~/.ssh/authorized_keys2, and disabled the password authentication in the
/etc/ssh/sshd_config and everything so far works great.


My issue I came up with is one of the systems sits on my home network behind
a firewall, it would be nice if I can only require the public key for
systems not on my local network, eg only the systems on the internet must
be known. I guess telnet is an option since it is blocked at the firewall.


I use different IP addresses to connect to depending on whether I'm
inside or outside my firewall. That kinda solves the problem. I still
use public key authentication as it doesn't require a password to be
typed in. Instead of telnet (which always prompts for your login
password) you might want to look at rsh instead. Just be sure to limit
its use to your local LAN behind your firewall only.



Next question/problem is, if I create an account for somebody to use when
connecting to the system, I must put their public key in their home
directory, can it be done the reverse? In other words can I provide them
a key for the system and if they don't have that key they can not connect
to the system.


The public key is for a single user account. It is not a system-wide
key. You would need to create separate key-pairs for each userid you
wish to allow access to. Here is where you need to be careful. Each
user has control over his/her own key-pair. It is possible they could
set up null keys, thereby getting around the security you want in place.


Make sure you understand all of this before you start issuing them to
friends.



Thanks, Jeff


--
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 12:49 AM
Cameron Simpson
 
Default ssh?

On 19Jun2008 17:01, jeff@bubble.org <jeff@bubble.org> wrote:
| The first thing I did was on my workstation (that I ssh from) is create a
| public/private key pair and installed the public key in
| ~/.ssh/authorized_keys2, and disabled the password authentication in the
| /etc/ssh/sshd_config and everything so far works great.

You should also disable PermitRootLogin and set up an AllowUsers line in
sshd_config; this gives you tighter control.

| My issue I came up with is one of the systems sits on my home network behind
| a firewall, it would be nice if I can only require the public key for
| systems not on my local network, eg only the systems on the internet must
| be known.

For why? Run an ssh-agent in your shell. Add your key to the agent.
Use ssh (which will silently use the key) to connect regardless.
Seriously, this is much more secure (because you never set up an
insecure ssh) and in the long run more convenient.

| I guess telnet is an option since it is blocked at the firewall.

It's an option, but poor.

| Next question/problem is, if I create an account for somebody to use when
| connecting to the system, I must put their public key in their home
| directory, can it be done the reverse? In other words can I provide them
| a key for the system and if they don't have that key they can not connect
| to the system.

Sure - it just means you make the key first. But that has two problems:
1) you know the passphrase to the key - only they should know it and 2)
you have to get the _private_ key to the securely. Putting it on a USB
thumb drive and physically handing it to them might do (2), provided you then
scrub the USB thumb drive and ensure they install the private key
securely.

If they make the key, they just send you the public half, which can be sent
more openly, since it does not need to be secret. Or course, there is the
issue of ensuring that a key that arrives in email really came from the user
you intent to grant access to... A phone call can be used for this.
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 01:12 AM
"Aldo Foot"
 
Default ssh?

On Thu, Jun 19, 2008 at 2:01 PM, <jeff@bubble.org> wrote:
> I'm trying to make my system a little more secure but still allow it to be
> accessed remotely from the internet using ssh and I'm looking for some
> guidance. The systems in question are a Fedora 9 and a Fedora Core 6 system.
>
> The first thing I did was on my workstation (that I ssh from) is create a
> public/private key pair and installed the public key in
> ~/.ssh/authorized_keys2, and disabled the password authentication in the
> /etc/ssh/sshd_config and everything so far works great.

I believe the file with the keys is '~/.ssh/authorized_keys', without the '2'.
as specified in the sshd_config.
AuthorizedKeysFile .ssh/authorized_keys

> My issue I came up with is one of the systems sits on my home network behind
> a firewall, it would be nice if I can only require the public key for
> systems not on my local network, eg only the systems on the internet must
> be known. I guess telnet is an option since it is blocked at the firewall.

See http://www.employees.org/~satch/ssh/faq/ssh-faq.html
In particular item 5.2.

> Next question/problem is, if I create an account for somebody to use when
> connecting to the system, I must put their public key in their home
> directory, can it be done the reverse? In other words can I provide them
> a key for the system and if they don't have that key they can not connect
> to the system.

You put *your* public key in *their* home directory and viceversa.

A bit of reading might be helpful. Google for "ssh keys tutorial".

> Thanks, Jeff

~af

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 01:16 AM
"Kevin J. Cummings"
 
Default ssh?

Aldo Foot wrote:

On Thu, Jun 19, 2008 at 2:01 PM, <jeff@bubble.org> wrote:

I'm trying to make my system a little more secure but still allow it to be
accessed remotely from the internet using ssh and I'm looking for some
guidance. The systems in question are a Fedora 9 and a Fedora Core 6 system.

The first thing I did was on my workstation (that I ssh from) is create a
public/private key pair and installed the public key in
~/.ssh/authorized_keys2, and disabled the password authentication in the
/etc/ssh/sshd_config and everything so far works great.


I believe the file with the keys is '~/.ssh/authorized_keys', without the '2'.
as specified in the sshd_config.
AuthorizedKeysFile .ssh/authorized_keys


I only use the ssh 2 protocol. As such, I have/use authorized_keys2.
The version without the "2" is for ssh 1 protocol, and its used should
be deprecated as its not as secure as ssh 2.


--
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 01:18 AM
Cameron Simpson
 
Default ssh?

On 19Jun2008 18:12, Aldo Foot <lunixer@gmail.com> wrote:
| > The first thing I did was on my workstation (that I ssh from) is create a
| > public/private key pair and installed the public key in
| > ~/.ssh/authorized_keys2, and disabled the password authentication in the
| > /etc/ssh/sshd_config and everything so far works great.
|
| I believe the file with the keys is '~/.ssh/authorized_keys', without the '2'.
| as specified in the sshd_config.
| AuthorizedKeysFile .ssh/authorized_keys

These days this is true. For a while, during the transition from ssh1 to
ssh2, there were two authorized_keys files:-(
--
Cameron Simpson <cs@zip.com.au> DoD#743

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 02:04 AM
Cameron Simpson
 
Default ssh?

On 19Jun2008 21:16, Kevin J. Cummings <cummings@kjchome.homeip.net> wrote:
> Aldo Foot wrote:
>> On Thu, Jun 19, 2008 at 2:01 PM, <jeff@bubble.org> wrote:
>>> I'm trying to make my system a little more secure but still allow it to be
>>> accessed remotely from the internet using ssh and I'm looking for some
>>> guidance. The systems in question are a Fedora 9 and a Fedora Core 6 system.
>>>
>>> The first thing I did was on my workstation (that I ssh from) is create a
>>> public/private key pair and installed the public key in
>>> ~/.ssh/authorized_keys2, and disabled the password authentication in the
>>> /etc/ssh/sshd_config and everything so far works great.
>>
>> I believe the file with the keys is '~/.ssh/authorized_keys', without the '2'.
>> as specified in the sshd_config.
>> AuthorizedKeysFile .ssh/authorized_keys
>
> I only use the ssh 2 protocol. As such, I have/use authorized_keys2.
> The version without the "2" is for ssh 1 protocol, and its used should
> be deprecated as its not as secure as ssh 2.

Actually a modern ssh will get ssh2 keys from authorized_keys.
To lock it down you should specify "Protocol 2" in the sshd_config file,
thus forbidding ssh1 in the sshd config, and not by luck with the key file.
--
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 03:04 AM
Todd Zullinger
 
Default ssh?

Cameron Simpson wrote:
> Actually a modern ssh will get ssh2 keys from authorized_keys. To
> lock it down you should specify "Protocol 2" in the sshd_config
> file, thus forbidding ssh1 in the sshd config, and not by luck with
> the key file.

FWIW, this has been the default in openssh for a bit over a year now.
The sshd_config that is shipped in Fedora's packages contains this:

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

The upstream openssh change was made in this commit:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.diff?r1=1.74&r2=1.75

--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
It is better to weep with wise men than to laugh with fools.
-- Spanish Proverb

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 06-20-2008, 03:09 AM
"Kevin J. Cummings"
 
Default ssh?

Cameron Simpson wrote:

On 19Jun2008 21:16, Kevin J. Cummings <cummings@kjchome.homeip.net> wrote:
I only use the ssh 2 protocol. As such, I have/use authorized_keys2.
The version without the "2" is for ssh 1 protocol, and its used should
be deprecated as its not as secure as ssh 2.


Actually a modern ssh will get ssh2 keys from authorized_keys.
To lock it down you should specify "Protocol 2" in the sshd_config file,
thus forbidding ssh1 in the sshd config, and not by luck with the key file.


Well, I guess I've been using ssh since at least 1995, so my
configurations pre-date the "change", even though I have migrated to
protocol 2. B^)


--
Kevin J. Cummings
kjchome@rcn.com
cummings@kjchome.homeip.net
cummings@kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 01:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org