Re: ssh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



jeff@xxxxxxxxxx wrote:
I'm trying to make my system a little more secure but still allow it to be
accessed remotely from the internet using ssh and I'm looking for some
guidance.  The systems in question are a Fedora 9 and a Fedora Core 6 system.

The first thing I did was on my workstation (that I ssh from) is create a
public/private key pair and installed the public key in ~/.ssh/authorized_keys2, and disabled the password authentication in the /etc/ssh/sshd_config and everything so far works great.

My issue I came up with is one of the systems sits on my home network behind
a firewall, it would be nice if I can only require the public key for
systems not on my local network, eg only the systems on the internet must
be known.  I guess telnet is an option since it is blocked at the firewall.

I use different IP addresses to connect to depending on whether I'm inside or outside my firewall. That kinda solves the problem. I still use public key authentication as it doesn't require a password to be typed in. Instead of telnet (which always prompts for your login password) you might want to look at rsh instead. Just be sure to limit its use to your local LAN behind your firewall only.

Next question/problem is, if I create an account for somebody to use when
connecting to the system, I must put their public key in their home
directory, can it be done the reverse?  In other words can I provide them
a key for the system and if they don't have that key they can not connect
to the system.

The public key is for a single user account. It is not a system-wide key. You would need to create separate key-pairs for each userid you wish to allow access to. Here is where you need to be careful. Each user has control over his/her own key-pair. It is possible they could set up null keys, thereby getting around the security you want in place.

Make sure you understand all of this before you start issuing them to friends.

Thanks, Jeff

--
Kevin J. Cummings
kjchome@xxxxxxx
cummings@xxxxxxxxxxxxxxxxxx
cummings@xxxxxxxxxxxxxxxxxxxxxxx
Registered Linux User #1232 (http://counter.li.org)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux