[Novalug] POSSIBLE BREAK-IN in auth.log via ssh

William Sutton william@trilug.org
Fri Feb 13 12:00:41 EST 2009


I believe the key they have in mind is an RSA or DSA key; typically as the 
user in question, you can login and

$ ssh-keygen -t dsa

follow the prompts, and it will drop an id_dsa.pu file in your .ssh 
directory.  append the contents of that file to the .ssh/authorized_keys2 
file in the account of the host you want to login to, and voila! no 
password required.

if you set key-only login, the key will work and access attempts without a 
key will be rejected.

I'll leave it to the more knowledgable minds on the list to speak as to 
whether this can be done to the root account without affecting user 
accounts.

William Sutton

On Fri, 13 Feb 2009, Beartooth wrote:

> On Thu, 12 Feb 2009, Jon Taimanglo wrote:
>
>> Norman, I still think ditching the password all together would provide
>> additional security.
>>
>> Tons of stuff on the net, but one quick how-to:
>>
>> http://sial.org/howto/openssh/publickey-auth/
>>
>> Once you have key authentication set up, turn off password
>> authentication.  Those attempting a dictionary style attack will be
>> turned away immediately.
>
> 	One of my gurux has been urging me to that, and I haven't
> gotten around to it, largely because I don't understand it, at
> all, at all.
>
> 	Two Very Dumb Questions, please.
>
> 	1) It talks of a public key; does that mean I have to get
> into PGP. GPG, or whatever -- first??
>
> 	2) One of the great advantages of a remote host is that I
> can get into it from anywhere -- even from a MegaSleazo machine
> in a public library in Podunk Squared, if need be. Won't the
> passwordless approach kill that??
>
> --
> Beartooth Bookworm, Cantankerous Curmudgeon
> I have never owned a television. Nor wanted to.
> _______________________________________________
> Novalug mailing list
> Novalug@calypso.tux.org
> http://calypso.tux.org/cgi-bin/mailman/listinfo/novalug
>
>



More information about the Novalug mailing list