On 01/04/2008, Russell L. Harris <rlharris@oplink.net> wrote:
SYSTEM:
(1) firewall/router (SmoothWall Express 2.0) which (using NAT)
provides and protects both a "green" zone for a LAN and an
"orange" zone ("DMZ") for a publicly-accessible server
(2) ftp or http server in the DMZ
(3) desktop machine in the LAN from which the sysop maintains the
server
SITUATION:
It is convenient to use "scp" for transferring files between the
desktop machine in the LAN and the server, and to use "ssh" for
remote maintenance of the server, again from the desktop machine
in the LAN. And to eliminate the constant typing of password,
ssh-agent can be installed.
Such remote maintenance of the server from a machine in the LAN
becomes tedious unless there is on each machine an account with
the same username, password, and passphrase.
QUESTION:
Is there a major or unreasonable security risk if the sysop
creates on the server an account with the same username, password,
and passphrase as his account on the desktop machine? That is, if
the server is compromised, should the sysop change his password,
passphrase, etc.?
If so, what is the recommended alternative? Is there a HOWTO on
this subject?
RLH
Hey,
There is definately an alternative. ssh can authenticate using public keys.
`ssh-keygen` generates a public and private keypair. Echo the public portion into ~/.ssh/authorized_keys on the dmz server and keep the private portion with the sysop. Copy the private key portion into ~/.ssh on the hosts that the sysop is using and you won't need a password.
This works cross user. alice@client can login to bob@server provided she has the private key and the public key is in bob's authorized_keys file.
To enable this you need to uncomment/add to /etc/ssh/sshd_config:
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
HTH,
cheers,
Owen.
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org