ssh?

Kevin J. Cummings cummings at kjchome.homeip.net
Thu Jun 19 21:14:47 UTC 2008


jeff at bubble.org wrote:
> I'm trying to make my system a little more secure but still allow it to be
> accessed remotely from the internet using ssh and I'm looking for some
> guidance.  The systems in question are a Fedora 9 and a Fedora Core 6 system.
> 
> The first thing I did was on my workstation (that I ssh from) is create a
> public/private key pair and installed the public key in 
> ~/.ssh/authorized_keys2, and disabled the password authentication in the  
> /etc/ssh/sshd_config and everything so far works great.
> 
> My issue I came up with is one of the systems sits on my home network behind
> a firewall, it would be nice if I can only require the public key for
> systems not on my local network, eg only the systems on the internet must
> be known.  I guess telnet is an option since it is blocked at the firewall.

I use different IP addresses to connect to depending on whether I'm 
inside or outside my firewall.  That kinda solves the problem.  I still 
use public key authentication as it doesn't require a password to be 
typed in.  Instead of telnet (which always prompts for your login 
password) you might want to look at rsh instead.  Just be sure to limit 
its use to your local LAN behind your firewall only.

> Next question/problem is, if I create an account for somebody to use when
> connecting to the system, I must put their public key in their home
> directory, can it be done the reverse?  In other words can I provide them
> a key for the system and if they don't have that key they can not connect
> to the system.

The public key is for a single user account.  It is not a system-wide 
key.  You would need to create separate key-pairs for each userid you 
wish to allow access to.  Here is where you need to be careful.  Each 
user has control over his/her own key-pair.  It is possible they could 
set up null keys, thereby getting around the security you want in place.

Make sure you understand all of this before you start issuing them to 
friends.

> Thanks, Jeff

-- 
Kevin J. Cummings
kjchome at rcn.com
cummings at kjchome.homeip.net
cummings at kjc386.framingham.ma.us
Registered Linux User #1232 (http://counter.li.org)




More information about the fedora-list mailing list