ssh clarification needed
Anne Wilson
annew at kde.org
Sun Jan 4 11:43:18 UTC 2009
On Sunday 04 January 2009 11:32:24 Mike Cloaked wrote:
> Anne Wilson-4 wrote:
> > Is a ssh key specific to a computer, or to a user? That is, does my key
> > pertain to any box on the lan, as long as I'm the user? Or is it machine
>
> ssh keys are specific to the user - they are in the users .ssh directory in
> their home user directory. Root also has its own .ssh
>
> On the server side you can choose who to allow to connect and also whether
> to allow password connections and many other options in
> /etc/ssh/sshd_config and you can find more in "man sshd_config"
>
On my server I set that up to allow only connection with keys. I presume that
any box that might need to be monitored by ssh will need the same treatment.
> You need to look up how to generate ssh keys and store them. It is possible
> to replicate the .ssh directory for your own user area and put it on the
> user area of the same name on a different computer to save the need to
> generate new keys.
>
I feel unsafe about storing keys on a laptop that is going to travel, so I'll
need to read up on storing them on a usb stick. At least losing the stick
will not make the connection unsafe :-) - I'm unlikely to lose the laptop and
stick at the same time.
> However you also need to be aware that the system will know if the remote
> machine you are connecting to is upgraded - and then when you try to ssh in
> you will get a warning saying there is a possible man-in-the middle attack.
> In this instance if the remote machine is known to have been reinstalled
> for example then in the user area from which you are trying to connect need
> to have the entry in .ssh/known_hosts removed by editing (or remove the
> known_hosts file) and accept prompts the first time you then subsequently
> ssh into another machine.
>
OK - this is probably not an issue on the server, which runs CentOS, but would
be much more so on workstations and laptops.
> There are tutorials on the net and a google search will find them fairly
> easily.
Yes, I set it up from such a tutorial, but sometimes I need to check that I
have understood/remembered something correctly. Especially when it concerns
something relevant to security.
Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090104/ddbff5a8/attachment-0001.sig>
More information about the fedora-list
mailing list