Re: Debian SSH server configuration
On (25/04/06 19:23), Bruce Corbin wrote:
> Hi All,
>
> Before you flame me --- I asked this question over in debian-ssh and
> after 24 hours I didn't have a single hit on it. So I thought I would
> try it over here.
>
> I would like to configure a Debian server to only allow clients to ssh
> in if the public keys (probably RSA keys) already reside on the hard
> drives of both machines.
>
> After spending some time in the snail book I am able to use
> "StrictHostKeyChecking yes" in the clients /etc/ssh/ssh_config file to
> cause the client to refuse to establish a ssh connection unless the
> server's public key is in the client's /home/user-name/.ssh/known_hosts
> file. This is useful in preventing "overly trusting users" from blindly
> answering "yes" and accepting man-in-the-middle keys when connecting to
> a new server. But, this does not restrict who can connect to the server.
I haven't used this setting. What happens when the server's key expires?
>
> I tried putting "StrictHostKeyChecking yes" in the server's
> /etc/ssh/sshd_config file but I got a "bad configuration option" error.
StrictHostKeyChecking is a client configuration directive, not a server
one.
> My server's /etc/ssh/sshd_config file has "PublicKeyAuthentication yes"
Good
> and "PasswordAuthentication no".
Any other methods allowed?
> I am uneasy about experimenting with
> PublicKeyAuthentication without having a better understanding of what it
> really does. I don't want to turn off any authentication features or
> turn off any encryption features and leave myself wide open but thinking
> that I am secure.
>
The sshd_config file has pretty conservative settings by default, i.e.
it disables things that are at the riskier end of the scale. Turning off
PasswordAuthentication and others and using PublicKeyAuthentication
should make you more secure (by that I mean you will be immune from
script kiddies using password guessing scripts). You are right to be
careful about what you do though.
I would not recommend turning off password authentication until the end
of the process unless you have local access to the server, otherwise you're
on your own.
You haven't actually explained what your problem is, so I'll just
descibe the usual setup.
The server has a certificate so that you know who they are, and you get
this bit and have set it up.
The client has a key, this is slightly different, as their is no web of
trust or similar, the client just has to prove knowledge of that secret.
You have to create a key for each client. This is easily done with
ssh-keygen -t rsa
on the client machine. You then need to get this key to the server so
that it can check it with the client. The easiest way to do this is with
ssh-copy-id -i ~/.ssh/id_rsa.pub username@server
You can then
ssh username@server
and instead of being prompted to enter your password for the server you
will be prompted for the passphrase on the key. Turn on debugging output
from ssh if you want to confirm it is using key based authentication.
Then I would recommend looking in to ssh-agent, and libpam-ssh.
libpam-ssh is one of the most useful bits of software I have installed.
You can get a full walkthrough here
http://www.debian-administration.org/articles/152
James
>
> Any suggestions?
>
http://www.google.co.uk/search?hl=en&q=ssh+key&btnG=Google+Search&meta=
--
James Westby
jw+debian@jameswestby.net
http://jameswestby.net/
Reply to: