Entries Tagged as 'Secure Shell (SSH)'

SSH Login Without Password Prompt

Often you have a set of machines you trust implicitly and you’d like to make ssh logins and scp copies less tedious by not having the system prompt you for the password.  It used to be incredibly confusing to manually setup and install the keys on remote machines, now, though with OpenSSH it’s gotten a lot easier.

The first thing you need to do is create public and private keys; to do that you use ssh-key-gen on your machine (you’ll either need to be on the console or have previously made a ssh connection).

For this example, the “local” workstation will be superman, and the remote server will be aries.

roger@superman$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/roger/.ssh/id_rsa):
[Press Enter Key]
Enter passphrase (empty for no passphrase):
[Press Enter Key]
Enter same passphrase again:
[Press Enter Key]
Your identification has been saved in /home/roger/.ssh/id_rsa.
Your public key has been saved in /home/roger/.ssh/id_rsa.pub.
The key fingerprint is:
de:ad:be:ef:01:02:03:04:05:06:07:07:09:0a:0b:0c roger@superman

Then we need to copy the public key to the remote host using ssh-copy-id

roger@superman$ ssh-copy-id -i ~/.ssh/id_rsa.pub aries
roger@aries's password:

Finally, we can log onto the remote machine without a password

roger@superman$ ssh aries
Last login: Sun Jan 2 12:12:12 2011 from superman
roger@aries$

You can take a look at the key files that were generated; you can use ssh-copy-id to copy the keys to as many machines as you want; and you can use the same private key file on each of your machines to allow for more seamless access; but you should be aware that you should only place your public key on machines you trust.

NOTE:  If you use ssh-agent (and ssh-add) to manage keys, ssh-copy-id will attempt to access the key from ssh-agent.

Originally posted 2011-01-04 02:00:12.

Remote Access

I’ve been using a combination of bitvise WinSSHD and Tunnelier for remote access to my home network.  It basically allows me to tunnel a RDP (or simple command shell) via SSH to a Virtual machine running on my server (actually each “user” has a virtual machine all to their own, so there’s no contention).

I really like the simplicity of the SSH tunnel, and find that running it on port 22 and port 443 provides me with a very good likelihood of being able to connect through all but the most draconian firewalls.

You will want to make sure that you implement good security policies on your SSH server, and that you either use pre-shared keys or certificates OR that you make sure you have a strong password.  There are a number of bots out there that try to break into an SSH server using a list of well know user names and dictionary attack for the password.

WinSSHD will lock out IP addresses after a number of failed attempts; but I created a test account called “test” with the password “password” just to see what the bot would try to do (the account was jailed without any write priviledge in a safe sub-directory with no files).  The bot got frustrated and went away, but I was trying to upload files, and I would guess execute them (probably propagating itself).

You can black list IP addresses, and if you’re like me you run the DynDNS client (I use DynDNS.org for my dynamic ip naming service; it’s free, and it works well) on your notebooks so that you “know” their IP address via a fixed host name (though in WinSSHD the IP black list superceeds a DNS name white list).

http://www.bitvise.com/

http://www.dyndns.org/ or http://www.dyndns.com/

Originally posted 2008-10-30 13:00:59.

Hackers

I’ve noticed that here lately my SSH server has had an increasing number of hackers trying to log in.  Mostly they’re from the APNIC (Asia-Pacific) region, but a fair number from other regions (include North America) as well.

Since I have no plans to travel abroad in the near future I went ahead and blocked out all IP addresses registered through any registrar except ARIN, and I also added several hosting companies that seem to to have customers that either don’t secure their servers well or they themselves launch cyber attacks.

It’s generally a good idea to make sure that any server that can be used to gain entry to your network is as secure and limited as possible.  Obviously you don’t want to go overboard and make it impossible for you to do what you need with relative ease; but that said, you don’t want to make it easy for others to do things to your computers.

Originally posted 2010-01-25 01:00:43.