[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh?



jeff bubble org wrote:
I'm trying to make my system a little more secure but still allow it to be
accessed remotely from the internet using ssh and I'm looking for some
guidance.  The systems in question are a Fedora 9 and a Fedora Core 6 system.

The first thing I did was on my workstation (that I ssh from) is create a
public/private key pair and installed the public key in ~/.ssh/authorized_keys2, and disabled the password authentication in the /etc/ssh/sshd_config and everything so far works great.

My issue I came up with is one of the systems sits on my home network behind
a firewall, it would be nice if I can only require the public key for
systems not on my local network, eg only the systems on the internet must
be known.  I guess telnet is an option since it is blocked at the firewall.

I use different IP addresses to connect to depending on whether I'm inside or outside my firewall. That kinda solves the problem. I still use public key authentication as it doesn't require a password to be typed in. Instead of telnet (which always prompts for your login password) you might want to look at rsh instead. Just be sure to limit its use to your local LAN behind your firewall only.

Next question/problem is, if I create an account for somebody to use when
connecting to the system, I must put their public key in their home
directory, can it be done the reverse?  In other words can I provide them
a key for the system and if they don't have that key they can not connect
to the system.

The public key is for a single user account. It is not a system-wide key. You would need to create separate key-pairs for each userid you wish to allow access to. Here is where you need to be careful. Each user has control over his/her own key-pair. It is possible they could set up null keys, thereby getting around the security you want in place.

Make sure you understand all of this before you start issuing them to friends.

Thanks, Jeff

--
Kevin J. Cummings
kjchome rcn com
cummings kjchome homeip net
cummings kjc386 framingham ma us
Registered Linux User #1232 (http://counter.li.org)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]