RE: SSH and RSA
> -----Original Message-----
> From: Duane Powers [mailto:duane@uberLAN.net]
> Sent: Tuesday, February 20, 2001 7:37 AM
> To: Mike Dresser
> Cc: debian-security@lists.debian.org
> Subject: Re: SSH and RSA
>
>
> Mike Dresser wrote:
>
> > You don't mention whether the previous admin is still with
> you, but if not, you'll want to remove his RSA keys from the
> server, or else you can change your root password all you want,
> and he'll still be able to connect, assuming he can get to the
> machine via your network/internet.
Duane,
Mike has an exceptionally pertinant point here.
Right now - even before you start trying to load your own RSA key in, log
into all machines running SSH and remove the previous admins key from
~root/.ssh/authorized_keys;
from=10.0.0.1,command="uptime" 1024
35139485134527555523553495234978502397465902
3475923475089234758907234057564387523487589234750234765079234658079623457862
34076
9510950293476590175907234650934234948571390874534925902345907623490562347895
63892
4765923876589237465892374659389234752348907569234590234579013465978234658972
34658
9762349856239487562347896 Bilbo Baggins
1024 35
1394851345275555235534952349785023974659023475923475089234758907234057564
3875234875892347502347650792346580796234578623407951095029347659017590723465
0934
2349485713908745349259023459076234905623478956389247659238765892374658923746
5934
8923475234890756923459023457901346597823465897234658976234985623948756234789
6 Joe
Random
1024 35
1394851345275555235534952349785023974659023475923475089234758907234057564
3875234875892347502347650792346580796234578623407951095029347659017590723465
0934
2349485713908745349259023459076234905623478956389247659238765892374658923746
5934
8923475234890756923459023457901346597823465897234658976234985623948756234789
6 Jayne
Eyre
Each line in this file contains some directives (as in the first entry above
(from=, command=), a public key (starts with 1024 35 XXX.... in the examples
above), and a comment, usually the name or email address of the person who
generated it. Remove any appearing to belong to the previous admin.
Those containing a command="..." directive will only be able to execute that
command and so may be related to automated processes.
To add your own key first generate it (possibly on your workstation if you
are sure it is well secured) using ssh-keygen. Make sure you use a
passphrase. A command like;
ssh-keygen -b 1024 -f .ssh/identity -C "Joe New Admin"
should suffice. Make sure that the generated .ssh/identity is not readable
by any but you and shouldn't be writeable by anybody.
Now copy the file .ssh/identity.pub onto all of the machines running SSH and
add it to the end of ~root/.ssh/authorized_keys on each machine. You can do
this using scp or even a cut-and-paste via ssh. Make sure that you do not
split the line up when adding it to authorized_keys.
This will give you RSA keypair authentication to all of those machines
instead of password access.
I would also recommend creating a non-root account to log in with and
totally disallow root logins. You would be able to simply move the
authorized_keys file to the non-root .ssh directory.
--
Andrew J. Stephen Network Operations Manager
"The important thing about standards is to have them."
-- Bruce Schneier, creator of the Twofish algorithm
> A couple of quick notes, I just realized that by trying to be
> cute and
> putting my comments in angle brackets, those among us who may
> read html
> mail, may not be able to see my comments (my bad).
>
> And second, I saw him login once, he was prompted for his RSA key as
> follows:
> (to the best of my recollection)
> ssh root@host.com
> enter RSA passkey:
> # <<<---- remote prompt
>
> >
> >
> > Duane Powers wrote:
> >
> >> Hi all,
> >>
> >> Recently I was made administrator over a dozen Solaris boxen <heh>
> >> The prior admin was offsite and used ssh with rsa keys to
> access the boxes.
> >> He allowed root login, and used the RSA key functionality
> to keep the root
> >> password safe.
> >> I am not as mature as he was regarding ssh <newbie> and
> have only used
> >> ssh as a plug in replacement to telnet, <I tend to not set
> a different
> >> p/w during
> >> ssh-keygen> and simply access the boxes as follows: ssh -l
> <me> <hostname>
> >> then I login using the normal p/w that is local to the
> box. I have found
> >> that he did
> >> not need to transmit the local password over the tunnel,
> but rather used
> >> RSA to
> >> verify his identity, but I can't find documentation on how
> to do it.
> >> <man ssh, man ssh-agent, man ssh-add, Practical UNIX & Internet
> >> Security> does anyone have any information on how I can
> implement the
> >> same safeguards? Or where I can at least find some documentation on
> >> practical ssh implementation.
> >>
> >> As always, You guys are great, thanks in advance for the help,
> >>
> >> ~duane
> >
>
>
> --
>
> The plan was simple. Unfortunately, so was Bullwinkle.
>
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
This email with any attachments is confidential and may be subject to legal
privilege. If it is not intended for you please reply immediately, destroy
it and do not copy, disclose or use it in any way.
Reply to: