[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh clarification needed



On Sunday 04 January 2009 11:32:24 Mike Cloaked wrote:
> Anne Wilson-4 wrote:
> > Is a ssh key specific to a computer, or to a user?  That is, does my key
> > pertain to any box on the lan, as long as I'm the user?  Or is it machine
>
> ssh keys are specific to the user - they are in the users .ssh directory in
> their home user directory. Root also has its own .ssh
>
> On the server side you can choose who to allow to connect and also whether
> to allow password connections and many other options in
> /etc/ssh/sshd_config and you can find more in "man sshd_config"
>
On my server I set that up to allow only connection with keys.  I presume that 
any box that might need to be monitored by ssh will need the same treatment.

> You need to look up how to generate ssh keys and store them. It is possible
> to replicate the .ssh directory for your own user area and put it on the
> user area of the same name on a different computer to save the need to
> generate new keys.
>
I feel unsafe about storing keys on a laptop that is going to travel, so I'll 
need to read up on storing them on a usb stick.  At least losing the stick 
will not make the connection unsafe :-) - I'm unlikely to lose the laptop and 
stick at the same time.

> However you also need to be aware that the system will know if the remote
> machine you are connecting to is upgraded - and then when you try to ssh in
> you will get a warning saying there is a possible man-in-the middle attack.
> In this instance if the remote machine is known to have been reinstalled
> for example then in the user area from which you are trying to connect need
> to have the entry in .ssh/known_hosts removed by editing (or remove the
> known_hosts file) and accept prompts the first time you then subsequently
> ssh into another machine.
>
OK - this is probably not an issue on the server, which runs CentOS, but would 
be much more so on workstations and laptops.

> There are tutorials on the net and a google search will find them fairly
> easily.

Yes, I set it up from such a tutorial, but sometimes I need to check that I 
have understood/remembered something correctly.  Especially when it concerns 
something relevant to security.

Anne

Attachment: signature.asc
Description: This is a digitally signed message part.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]