SSH Key generation question
in [General Linux]
|
From: Keith Keller on 19 Jun 2010 01:04 On 2010-06-19, Todd <todd(a)invalid.com> wrote: > > Some newbie questions: Please keep in mind that not everyone has read your previous posts, so you should provide background for what you're trying to do. I am going to guess that you are trying to give some remote user ssh access to your server, and you don't normally interact with (or necessarily even trust) this person. > 1) am I correct that it is the remote user that has to > send me his public key (for my server)? (X11 is backwards, > so I had to ask.) Yes. X11 is ''backwards'', but ssh is not. The person running the ssh command is the client; the server listening for ssh connections (i.e., running sshd) is the server. (As an aside, in this way X11 is actually not backwards--the X server you run on your machine is listening for X11 ''connections'' from ''clients'', i.e., programs like xterm. It only seems backwards because the client could be coming from some machine other than the one you're sitting at.) > 2) how can I insure the remote user used "at least 16 > characters long" password? Could he just use an empty > password and lie to me? Yes. If you don't trust the remote user, you could generate the keys and send him the private key. But that begs a chicken-egg problem: how do you get him the private key safely? It's perfectly safe to send public keys via email, but it's not really safe to send private keys. (I'm sure someone will comment on how hard it is to sniff email messages any minute now; that's a decision only you can make. I personally would not send ssh private keys over unencrypted email, and if the user is savvy enough to use PGP, so that you could encrypt the key, he's probably savvy enough to know how to generate a good passphrase.) Then again, if you don't trust the user, why are you letting him on to your server? Because if you don't trust him, the length of his passphrase is pretty irrelevant--he could simply post it and the private key to comp.os.linux.misc tomorrow, and you'd be hosed. > 3) do I create a user account for him? Yes. > 4) when the user does log into my server, is there some > mechanism to log him into his own account? He must provide his userid, which you create for him. You must also put his public key in the right spot in his home directory. He will do something like ssh hisusername(a)your.server.name.example > 6) all that chmod'ing and all in the quote above, > I presume if he is running windows, he will have > to deal with it somehow? Yes, or it's possible his ssh client won't care about the permissions on the key files (or, depending on the client, may even take care of the permissions for him). Those docs refer specifically to openssh, which your remote user may not be using. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: David Brown on 19 Jun 2010 09:21 Todd wrote: > 5) what do you think of using port masking (a port > other than 22) > Since Keith answered all your other questions, but missed out this one, I'll chime in. Using a non-standard port will practically eliminate all opportunist attacks on your ssh server. A lot of script kiddies and other attackers will try port 22 on every ip address in a block, looking for weak points. If they find the port open, they will attempt to connect using the "root" user (and possibly others) and a range of common passwords. Unless you have picked weak passwords (and allowed root login to ssh, and don't use keys), then these attacks are not a risk. But they are a waste of resources and bandwidth, and clutter up your logs. With a non-standard port, you avoid that.
From: Todd on 19 Jun 2010 16:44 On 06/18/2010 07:58 PM, Todd wrote: Wow. Thank you all! -T
From: Todd on 19 Jun 2010 17:03 > Host saratoga.foobar.com > Port 2303 > User remoteguy First , thank you for the excellent reply! I am only removing most of it as nntp.aioe.org gets annoyed if you quote too many line. > Host saratoga.foobar.com > Port 2303 > User remoteguy Question: is "remoteguy" the user name for his local (on the server) account or his user name from his client (remote) laptop? -T
From: Todd on 19 Jun 2010 17:19
Another follow up question: If I disable root to root access (no logon as root through ssh), does that preclude a remote user from "su" to root? -T |