[Techtalk] 216 ssh login attempts, what to do?

Colleen Hatfield evilpig at gmail.com
Thu Oct 14 09:47:54 EST 2004 

On Wed, 13 Oct 2004 20:02:59 -0400, aec <brat at magma.ca> wrote:
<snip>
> I can look into ssh keys, but I have six hosts behind the router and
> 7 more that are not mine, but I have shell access to, I think, but am
> not sure, that you should *never* use the same key all over the place,
> but instead use a different key for each host? this would require me
> to maintain 13 keys?

Not unless you wanted to.  This is my understanding of the process,
and hopefully someone will correct me if it is a misunderstanding.

First you create a public/private key pair on one of your client
machines (using ssh-keygen).  The default names and locations for
these are /home/user/id_dsa (private) and /home/user/id_dsa.pub, but
you can set the name to whatever you want when you create the key. 
During the key creation process, it will ask you for a password. 
Choose a strong password, because this will be used to encrypt your
private key on disk.

You copy your public key to the /home/user/.ssh/authorized_keys file
on every remote server that you want to log into (you may have to
create this file).  If you like, you can restrict the IPs from which
the key can be used by adding those IPs to the front of the public key
(see documentation for exact syntax).

You copy your private key file to the /home/user/.ssh/ directory of
ever client that you will use to login to the remote servers. 
Alternately I suppose you could keep it on a USB key or something, but
I don't have one of those yet so I haven't tried.

After you have your public key on the server and your private key on
the client, you can then login to the server from the client.  If you
named your key anything other than id_dsa, you'll need to tell ssh on
the client which "identity" to use.  This is done with the -i
argument, like "ssh -i /home/user/.ssh/keyname.id_dsa user at server". 
You will then be asked to input the password for the key, and once you
provide it you will be logged into the remote server.

Once you've set up your key-based authentication, you'll want to
disable authentication by password on your remote servers.

Security implications:
Since your private key is encrypted by a strong password, the only way
someone else can use it is if they gain access to the private key AND
gain access to the password, by brute-force, keylogging, or whatever. 
It is possible to use a separate key pair for every possible
client-server combination.  In my understanding, this doesn't really
gain you much besides a little time, because the attacker would have
to crack your password on multiple keys rather than just one (assuming
you used a different password for each key).  If one of your client
machines gets compromised or your USB key gets stolen, you can just
remove the old key pair from the clients and servers and create a new
one.

- Colleen

More information about the Techtalk mailing list