ssh?

Cameron Simpson cs at zip.com.au
Fri Jun 20 00:49:08 UTC 2008 

On 19Jun2008 17:01, jeff at bubble.org <jeff at bubble.org> wrote:
| The first thing I did was on my workstation (that I ssh from) is create a
| public/private key pair and installed the public key in 
| ~/.ssh/authorized_keys2, and disabled the password authentication in the  
| /etc/ssh/sshd_config and everything so far works great.

You should also disable PermitRootLogin and set up an AllowUsers line in
sshd_config; this gives you tighter control.

| My issue I came up with is one of the systems sits on my home network behind
| a firewall, it would be nice if I can only require the public key for
| systems not on my local network, eg only the systems on the internet must
| be known.

For why? Run an ssh-agent in your shell. Add your key to the agent.
Use ssh (which will silently use the key) to connect regardless.
Seriously, this is much more secure (because you never set up an
insecure ssh) and in the long run more convenient.

| I guess telnet is an option since it is blocked at the firewall.

It's an option, but poor.

| Next question/problem is, if I create an account for somebody to use when
| connecting to the system, I must put their public key in their home
| directory, can it be done the reverse?  In other words can I provide them
| a key for the system and if they don't have that key they can not connect
| to the system.

Sure - it just means you make the key first. But that has two problems:
1) you know the passphrase to the key - only they should know it and 2)
you have to get the _private_ key to the securely. Putting it on a USB
thumb drive and physically handing it to them might do (2), provided you then
scrub the USB thumb drive and ensure they install the private key
securely.

If they make the key, they just send you the public half, which can be sent
more openly, since it does not need to be secret. Or course, there is the
issue of ensuring that a key that arrives in email really came from the user
you intent to grant access to... A phone call can be used for this.
-- 
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

More information about the fedora-list mailing list