2012년 1월 1일 일요일

SSH security

http://www.g-loaded.eu/2005/11/10/ssh-with-keys/

Client side
] ssh username@hotst.com
] mkdir ~/.ssh
] chmod 0700 ~/.ssh

] scp ~/.ssh/id_dsa.pub username@hotst.com:~/.ssh/authorized_keys
] rm -f ~/.ssh/id_dsa.pub

] chmod 0600 ~/.ssh/*

//A limited group of SSH users ** need root privilage for this.
] groupadd sshusers
] usermod -a -G sshusers username

Server side (uncomment each line as needed)
//Do not allow root login with SSH
] vi /etc/ssh/sshd_config
#PermitRootLogin no

//use ssh-2 method.
#Protocol 2

#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

//login with key-only
#RSAAuthentication no
#PasswordAuthentication no
#UsePAM no
#KerberosAuthentication no
#GSSAPIAuthentication no

#AllowGroups sshusers


//Restarting the server

]rm -f ssh_host*key*
]service sshd restart

//Get fingerPrint of the server to verify server from client.
]ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

Hashing the known_hosts file
Because the servers’ hostnames and addresses are stored in plain text in the known_hosts file, hashing it is a good habit. This can be done using the ssh-keygen utility. Type:

]ssh-keygen -H -f ~/.ssh/known_hosts

This process makes it unreadable, but the ssh programs can still read the contents. Make sure you permanently delete the known_hosts.old backup file.


Change your private key’s passphrase
If you ever need to change the private key’s passphrase you can use ssh-keygen:
]ssh-keygen -p -f ~/.ssh/id_dsa


add key to catche

]ssh-add ~/.ssh/id_rsa

======

The ssh-agent’s configuration

What we need is to start the agent when we login to our client machine’s shell and stop it when we log out. So, we add the following line to ~/.bash_profile:

eval `ssh-agent`

Why do we use eval? When the ssh-agent is started, it just prints some commands to the stdout. These commands set and export the environment variables we talked about earlier. We use eval, so that these commands are actually executed, or better, evaluated by the shell, so the environment variables are made available to all applications that can use them.

We add the following line to ~/.bash_logout

eval `ssh-agent -k`

This "unsets" the environment variables and kills the agent every time we logout.

Management of cached passphrases

A small utility called ssh-add is used to manage the cached passphrases.

To add a key to the ssh-agent’s cache, we issue the command:

# ssh-add ~/.ssh/id_dsa

We are prompted for the passphrase. After typing it succesfully, it gets cached. From now on, the cached passphrase will be automatically used for every connection we make to the SSH server. Convenient!
If we store our key to the standard location ~/.ssh/ and name it with the standard filename id_dsa, then ssh-add can be run without arguments. Our key will be used.

To list the cached keys we type:

# ssh-add -l

To remove a cached key:

# ssh-add -d ~/.ssh/id_dsa

To empty the ssh-agent’s cache:

# ssh-add -D

=======================

### install fail2ban 

시간:

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)

sublime close without confirmation

  Close without confirm   Yes, you can just write a plugin to set the view as scratch and close it. Then create a keybinding for that c...