DedicatedPros
08-07-2009, 15:34
Or do that ^^
The noise that goes around about the SSH
Myatu
08-07-2009, 09:53
Oi Marks, I was in the middle of replying when you moved it!
Originally Posted by DedicatedPros
True. You can also generate an RSA (or DSA) keypair and disable root login with a password. Using this method, you must have a valid RSA key to be able to login.
On Linux you can use this command:
Although not required, it is advisable to use a passphrase. The passphrase essentially functions as a password to the private key that's being generated - should your private key be compromised, one would still need to know the passphrase to use it.
Upon completion, ssh-keygen will specify where your private and public key are stored. The private key stays on the machine you use to access the server. The public key (ie., /root/.ssh/id_rsa.pub) gets copied to the server.
On the server, you add the public key to your authorized keys, ie:
Where "/root/downloads/id_rsa_from_home_pc.pub" is the public key you copied to the server.
The server's /etc/ssh/sshd_config (on Debian, may be different location for others) contains:
This will still enable root login, but you cannot login using the root's password. You must use the private key. For example, from the remote machine:
Note that anyone trying to login as root will still be prompted for a password, despite that you've enabled the "without-password" option. This is done to thwart possible intruders, but not giving away that you're using a keypair instead - intruders will fruitlessly try to enter passwords...
If you're using Windows, you can use the Pegeant for PuTTy, which comes with WinSCP. They Key Tools will help you generate a keypair, for which you can upload and configure the public key in the same manner as described above.
Originally Posted by DedicatedPros
On Linux you can use this command:
Code:
ssh-keygen -t rsa
Upon completion, ssh-keygen will specify where your private and public key are stored. The private key stays on the machine you use to access the server. The public key (ie., /root/.ssh/id_rsa.pub) gets copied to the server.
On the server, you add the public key to your authorized keys, ie:
Code:
cat /root/downloads/id_rsa_from_home_pc.pub >> /root/.ssh/authorized_keys chmod 600 /root/authorized_keys rm -f /root/downloads/id_rsa_from_home_pc.pub
The server's /etc/ssh/sshd_config (on Debian, may be different location for others) contains:
Code:
... PermitRootLogin without-password ...
Code:
ssh -i /root/.ssh/id_rsa root@91.121.xxx.xxx
If you're using Windows, you can use the Pegeant for PuTTy, which comes with WinSCP. They Key Tools will help you generate a keypair, for which you can upload and configure the public key in the same manner as described above.
marks
08-07-2009, 09:50
Hello,
There have been some noise around for a few short hours about a fault
on the SSH service. It is very difficult to know if true or not. But if it's
true, how important is the bug is the most important thing.
When in doubt, we have provided patches for servers that we still
have to check against several dozens of servers before you use
them. And if ever the fault is confirmed, we will block port 22 while
helping you to resolve the problem on your server. Meanwhile, we
remain vigilant and we finish preparations for a beautiful patch-party
which should start before noon tomorrow.
Learn more (there is very little info):
http://isc.sans.org/diary.html?storyid=6742
Sincerely,
Octave
There have been some noise around for a few short hours about a fault
on the SSH service. It is very difficult to know if true or not. But if it's
true, how important is the bug is the most important thing.
When in doubt, we have provided patches for servers that we still
have to check against several dozens of servers before you use
them. And if ever the fault is confirmed, we will block port 22 while
helping you to resolve the problem on your server. Meanwhile, we
remain vigilant and we finish preparations for a beautiful patch-party
which should start before noon tomorrow.
Learn more (there is very little info):
http://isc.sans.org/diary.html?storyid=6742
Sincerely,
Octave