Re: SSH Blocking

To: debian-user@lists.debian.org
Subject: Re: SSH Blocking
From: Beretta <invalid@invalid.org>
Date: Mon, 25 Apr 2005 16:56:55 -0700
Message-id: <[🔎] givq6156jn6blfb5tehe7f79n20u8tbb1u@4ax.com>
In-reply-to: <3XjD1-5De-29@gated-at.bofh.it>
References: <3XhhO-3CK-39@gated-at.bofh.it> <3Xjte-5v1-7@gated-at.bofh.it> <3XjD1-5De-29@gated-at.bofh.it>

On Mon, 25 Apr 2005 23:50:15 +0200, in linux.debian.user you wrote:

>On Mon, Apr 25, 2005 at 02:26:04PM -0700, Beretta wrote:
>> If you want to elimintate the possibility that one of these scans and/or login
>> attempts will eventually succeed (unlikely if you use good passwords), then
>> disable root login to ssh and disable password based logins.
>
>That would work great for me right now -- when I'm using my
>laptop and I have my laptop's public key in
>~/.ssh/authorized_keys on all the remote servers I care
>about. But what do I do when I come to a new machine and
>want to log into the server? I need to get the public key up
>there somehow. 
>
<snip>

No no. You generate one public and private key pair. In all the machines you
want to login to you put the PUBLIC part in ~/.ssh/authorized_keys.

You keep the SECRET part with you. (by with you I mean on a floppy, or a usb
dongle, or in the home directory of your personal machine, or .. you get the
idea)

A good analogy would be like PGP/GNUPG. The public key is widely dissemminated.
The secret key is kept secret and private.

I'm not 100% sure of the exact mechanics that are used, by I belive it is thus:
When you attempt to login, the remote machine encrypts the login sequence to
your public key (which it finds in ~/.ssh/authorized_keys.  Only the private key
can possibly decrypt that sequence. So when you ssh client (be it ssh or putty
or securecrt, etc) sends back the correct response, you have authenticated with
cryptographic certainty.

One of the nice benefits is that if you are damn sure that your personal machine
is spyware/virus free and won't end up in the hands of an evil doer, you can
generate your keypair so that the private key has no password required to
decrypt it. Thus you get a nice secure password-less login. If you are overly
paranoid like me when you generate your keypair you give a password that is used
to encrypt the private key. Thus if someone manages to steal your laptop or usb
dongle or floppy (etc), they still don't have access to the private key, as it
is wrapped in 128bit encryption.

And yes, that's the exact same method that PGP/GNUPG uses.

Reply to:

Follow-Ups:
- Re: SSH Blocking
  - From: "s. keeling" <keeling@spots.ab.ca>

Prev by Date: ggv doesn't work after installation
Next by Date: Re: discover not finding CDROM
Previous by thread: Re: SSH Blocking (and then IMAP passwords)
Next by thread: Re: SSH Blocking
Index(es):
- Date
- Thread