Re: SSH question

From: Brian Hatch (secure-shell_at_ifokr.org)
Date: 07/17/03

  • Next message: Armin M. Safarians: "Re: SSH question" 
    Date: Wed, 16 Jul 2003 17:00:15 -0700
To: "Armin M. Safarians" <armin.safarians@safeway.com>

    > I hope someone can help with this finding.
    > We are investigating centralized control of the authorized_keys file in
    > a root owned directory with world readable permission so we can control
    > key usage. we have added user1@hosta's key into this file.

    You haven't really defined this well.

    authorized_keys files go into the .ssh directory of a specific
    user. So if I wanted the key 'id_rsa.pub' to be allowed to
    ssh into my account (jdoe) on host 'host-a', I'd do the following

       me@home$ cd ~/.ssh
       me@home$ ls
       id_rsa id_rsa.pub

       me@home$ scp id_rsa.pub jdoe@host-a:mykey.pub
       me@home$ ssh jdoe@host-a
       (type password, since the key isn't trusted yet.)

       jdoe@host-a$ mkdir .ssh ; chmod 700 .ssh . ; cd .ssh
       jdoe@host-a$ cat ../mykey.pub >> authorized_keys
       jdoe@host-a$ chmod 600 authorized_keys

       me@home$ ssh jdoe@host-a
       (no password required now.)

    Now, if I take my id_rsa key and copy it to some other
    machine (say my ISP, or my work machine, etc) then yes,
    I can use it to log into host-a with pubkey authentication.

    If I want to allow this key only from one host, then edit
    the authorized_keys file and add a 'from=' option, ala

       jdoe@host-a$ head -1 authorized_keys
       from=192.168.1.1 AAAAB3NzaC1yc2EAAAABIwAAAIEAp8Z4Efr8...

    > It seems that so long as user1 has a key on any machine, and it exists
    > in the authorized_keys file, user1 can ssh to those remote hosts as
    > anyone else.

    The user should only be able to log into an account that has included
    user1's public key in their authorized_keys file. This user couldn't
    log in as me if I don't have his pubkey in my authorized_keys file,
    for example.

    If I'm missunderstanding your situation, let me know. 

    --
Brian Hatch                  Never test the depth
   Systems and                of the water with
   Security Engineer          both feet.
www.buildinglinuxvpns.net
Every message PGP signed

  • Next message: Armin M. Safarians: "Re: SSH question"

    Relevant Pages

    • RE: sshd / ssh setup
      ... We have an Remote FreeBSD system which is located some where on the ... This method gives the maximum protection possible utilizing ssh. ... Host setup steps. ... Reboot your system to activate sshd and login as root. ...
      (freebsd-questions)
    • SSH filter transer, was Re: Soft Update - directory/file listing
      ... But SSH file transfer is painfully slow all the time. ... ## SSH 3.2 Server Configuration File ... # Note that forwardings using the name of this host will be allowed (if ...
      (freebsd-performance)
    • Re: Disable name canonicalization for OpenSSH GSSAPI
      ... The issue I'm having is with a new server ... I'm unable to setup the correct reverse ... When I attempt to connect to this host with SSH, ...
      (comp.protocols.kerberos)
    • Re: [opensuse] Re: OpenSUSE PuTTY ?
      ... PuTTY lets you set up all kinds of special options, tied to which host ... The ssh daemon on the host machine is usually activated by default, ... As a taster to open a remote session in a new window in any konsole ... Windows users should explore Cygwin as this will allow you to run ssh ...
      (SuSE)
    • Re: hacked?
      ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ...
      (comp.os.linux.misc)