Re: ssh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 19Jun2008 17:01, jeff@xxxxxxxxxx <jeff@xxxxxxxxxx> wrote:
| The first thing I did was on my workstation (that I ssh from) is create a
| public/private key pair and installed the public key in 
| ~/.ssh/authorized_keys2, and disabled the password authentication in the  
| /etc/ssh/sshd_config and everything so far works great.

You should also disable PermitRootLogin and set up an AllowUsers line in
sshd_config; this gives you tighter control.

| My issue I came up with is one of the systems sits on my home network behind
| a firewall, it would be nice if I can only require the public key for
| systems not on my local network, eg only the systems on the internet must
| be known.

For why? Run an ssh-agent in your shell. Add your key to the agent.
Use ssh (which will silently use the key) to connect regardless.
Seriously, this is much more secure (because you never set up an
insecure ssh) and in the long run more convenient.

| I guess telnet is an option since it is blocked at the firewall.

It's an option, but poor.

| Next question/problem is, if I create an account for somebody to use when
| connecting to the system, I must put their public key in their home
| directory, can it be done the reverse?  In other words can I provide them
| a key for the system and if they don't have that key they can not connect
| to the system.

Sure - it just means you make the key first. But that has two problems:
1) you know the passphrase to the key - only they should know it and 2)
you have to get the _private_ key to the securely. Putting it on a USB
thumb drive and physically handing it to them might do (2), provided you then
scrub the USB thumb drive and ensure they install the private key
securely.

If they make the key, they just send you the public half, which can be sent
more openly, since it does not need to be secret. Or course, there is the
issue of ensuring that a key that arrives in email really came from the user
you intent to grant access to... A phone call can be used for this.
-- 
Cameron Simpson <cs@xxxxxxxxxx> DoD#743
http://www.cskk.ezoshosting.com/cs/

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux