[Techtalk] 216 ssh login attempts, what to do?

Devdas Bhagat devdas at dvb.homelinux.org
Thu Oct 14 20:56:14 EST 2004


On 13/10/04 20:02 -0400, aec wrote:
<snip>
> I have an additional problem in that my network is behind a netgear
> router, not a "real" router, such as an old linux machine with 2
> network cards. 

<pedant>It is still a router</pedant>.

> I am not sure how possible it would be to have traffic allowed through
> the netgear router and then additionally filtered at the destination
> host. Maybe that is simple, i just don't know. 
> 
> I can however change the port sshd listens on, and tell my users to
> specify another port in the future.
> 
> I can get someone hopefully in #linuxchix to port scan me and see if
> there is anything glaring that I should change.

I personally prefer the output of netstat -ln, using a known
uncompromised toolkit (This is the default, unless your system has been
cracked).

> I can look into ssh keys, but I have six hosts behind the router and
> 7 more that are not mine, but I have shell access to, I think, but am
> not sure, that you should *never* use the same key all over the place, 
> but instead use a different key for each host? this would require me
> to maintain 13 keys? 

There are host keys, and user keys.
The host keys identify the system, and using those you can ensure that
the host you are connecting to is really the host you specified.

You use the ssh-keygen program to obtain the fingerprints of the ssh
key for a host.

(long lines)
[devdas at evita devdas]$ ssh-keygen -l
Enter file in which the key is (/home/devdas/.ssh/id_rsa): /etc/ssh/ssh_host_dsa_key.pub
1024 c0:68:4e:1e:30:43:60:c2:7b:a8:7f:a6:a5:ef:04:2e /etc/ssh/ssh_host_dsa_key.pub

Now, I obtain the public key for this host.
[devdas at evita devdas]$ ssh-keyscan -t dsa 127.0.0.1
# 127.0.0.1 SSH-1.99-OpenSSH_3.1p1
127.0.0.1 ssh-dss
AAAAB3NzaC1kc3MAAACBAP+1Az1Ix9ZUl/H1N5JwwLCDtGtxrz9AtNFXGuh4xl0B9rue+bTxfs6GOnHBn5VJ7ZdNVaWJOCoCCZvdQ33WB3ED8mtcg1vuBkOKK1DBLlbPP4h6BG0n8tU4gj2nNpPAFX6Tf9Fe7ULYMYgJbDsooYPR4fp3pvXPxToSK9WJLF2XAAAAFQC2MwvUKLXJFeFejCRRxbc9Q+lPJQAAAIA8hyw89Mb4ZAFppeJ1HO0ObRTT/NUEkQ54s5lV5Nyl0CD0MB4ITpn/swdfsJ9/4Jp7SoFb3qieFEd+apkJUnzxi2wXLicasfnA8nHQ0P7hM9Nad3KP/OFFFN1uPFTtVui3t94Y22U3KDouqzJ44Zr07u8vMPPXspaJ8FD139cdNQAAAIAF5SN3GNS2IztrWZNWy8BycH2to9zhWXruKI6ykMVBOaJE5vSil6dU+9T2V2JGGmkIox5N/tI/tJQOMCMzd5Ve9fyax/6X+YSRfvxyjE5cLb7j9f4G1BivtmgfuY3ZrtaAiPLbB6k+MNhPW/W28AMgKdiWMobebLx9ikNl0OkGaQ==

Verify the fingerprint and append that to the ~/.ssh/known_hosts file.

(Most people don't bother to do all this, but this is how things are
supposed to work).

This key is unique to this host.

On the other hand, you have user keys, which identify a user. User keys
are in ~/.ssh/id_[dr]sa, with the matching public key in a .pub file.
Transfer the .pub file securely to the remote system which you want to
log into. Append the contents of that file to ~/.ssh/authorised_keys (or
whatever the AuthorizedKeys directive in your sshd config file says.

Once you have the keys setup correctly, then you can log in without
needing a password at all, and could probably just disable password
based authorization. Note that this requires controlled access to /one/
host which has the private keys needed for logging in. You shell into
this system, and then use that for accessing everything else.

Devdas Bhagat


More information about the Techtalk mailing list