Re: Sharing the SSH server keys & other questions
From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 06/26/04
- Previous message: Darren Dunham: "Re: Sharing the SSH server keys & other questions"
- In reply to: Carlos N: "Sharing the SSH server keys & other questions"
- Next in thread: Richard E. Silverman: "Re: Sharing the SSH server keys & other questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 26 Jun 2004 01:55:05 +0000 (UTC)
Carlos N <cgnjunkregDELETE@hotmail.com> writes:
]Basic SSH question:
]If I want to use RSA authentication by clients the process is simple. I
]generate a key pair, leave the private key (encrypted or not) on the
]client, give the public key to the server, make sure the server knows
]about it and presto.
]This makes sense. The server administrator has to actively accept the
]clients key, insuring that not just anyone can login.
]However, it seems that the reverse is not true. The server also has a
]private/public key pair (whether using key or password authentication).
] It seems, however, that the server automatically will feed its public
]key to the client. The client checks to make sure the key is OK - sure
]that protects the client. But it seems like ANY client can connect and
]automatically gets the key. Is there a way to limit the exchange so
]that the admin has to hand out the server's key through a different
]channel? Am I missing the point?
Yes. The point is authentication not access control. Ie, if you as a client
connect to the server, you want to know that the server is actually the
machine you wanted to connect to. It is NOT to do access control on the
server.
The first time you hook up, you will be told that the client has received
the server's public key. Make sure you do that in a situation where you are
pretty sure you are not being spoofed and the server really is the server.
Access control is via the logon, or via /etc/hosts.allow/deny files -- if
you want to restric the IPs that are allowed to use ssh onto your server,
put their IP addresses into there.
Otherwise, put
ALL:ALL
into /etc/hosts.deny and list the services you are willing to host and the
IP addresses that allowed to connect in /etc/hosts.allow.
For example I have the line
sshd sshd1 ssh sshdfwd-X11:ALL
in /etc/hosts.allow
or
rsync: 123.232.123.
to allow only hosts with IP addresses starting with that number from
connecting via rsync.
]In case you are wondering... I'm trying to set up a very simple SSH
]server on my home machine, so my wife can access it remotely. It seems
]like handing out the server key manually would be a way to restrict
]passerbys from trying to log in. Of course, the password and/or client
]key does the same thing. I'm just wondering....
]On a very related note. Since she will be traveling, sometimes using
]her laptop, sometimes using internet cafes or hotel computers, it seems
]like the best option is to use password rather than key authentication.
Yes. ssh remember does encryption. HOwever it would be good idea for her to
take a floppy along with putty on it to use ssh from those machines. That
prevents rogue ssh programs. But of course there is still the danger of the
systems doing password sniffing from the keyboard.
] Is this correct? This way she doesn't have to install a new key in
]each place. It also seems to preclude my doing any host-level access
]privileges in SSD.
- Previous message: Darren Dunham: "Re: Sharing the SSH server keys & other questions"
- In reply to: Carlos N: "Sharing the SSH server keys & other questions"
- Next in thread: Richard E. Silverman: "Re: Sharing the SSH server keys & other questions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
