ssh clarification needed

Anne Wilson annew at kde.org
Sun Jan 4 11:43:18 UTC 2009 

On Sunday 04 January 2009 11:32:24 Mike Cloaked wrote:
> Anne Wilson-4 wrote:
> > Is a ssh key specific to a computer, or to a user?  That is, does my key
> > pertain to any box on the lan, as long as I'm the user?  Or is it machine
>
> ssh keys are specific to the user - they are in the users .ssh directory in
> their home user directory. Root also has its own .ssh
>
> On the server side you can choose who to allow to connect and also whether
> to allow password connections and many other options in
> /etc/ssh/sshd_config and you can find more in "man sshd_config"
>
On my server I set that up to allow only connection with keys.  I presume that 
any box that might need to be monitored by ssh will need the same treatment.

> You need to look up how to generate ssh keys and store them. It is possible
> to replicate the .ssh directory for your own user area and put it on the
> user area of the same name on a different computer to save the need to
> generate new keys.
>
I feel unsafe about storing keys on a laptop that is going to travel, so I'll 
need to read up on storing them on a usb stick.  At least losing the stick 
will not make the connection unsafe :-) - I'm unlikely to lose the laptop and 
stick at the same time.

> However you also need to be aware that the system will know if the remote
> machine you are connecting to is upgraded - and then when you try to ssh in
> you will get a warning saying there is a possible man-in-the middle attack.
> In this instance if the remote machine is known to have been reinstalled
> for example then in the user area from which you are trying to connect need
> to have the entry in .ssh/known_hosts removed by editing (or remove the
> known_hosts file) and accept prompts the first time you then subsequently
> ssh into another machine.
>
OK - this is probably not an issue on the server, which runs CentOS, but would 
be much more so on workstations and laptops.

> There are tutorials on the net and a google search will find them fairly
> easily.

Yes, I set it up from such a tutorial, but sometimes I need to check that I 
have understood/remembered something correctly.  Especially when it concerns 
something relevant to security.

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090104/ddbff5a8/attachment-0001.sig>

More information about the fedora-list mailing list