On (25/04/06 19:23), Bruce Corbin wrote: > Hi All, > > Before you flame me --- I asked this question over in debian-ssh and > after 24 hours I didn't have a single hit on it. So I thought I would > try it over here. > > I would like to configure a Debian server to only allow clients to ssh > in if the public keys (probably RSA keys) already reside on the hard > drives of both machines. > > After spending some time in the snail book I am able to use > "StrictHostKeyChecking yes" in the clients /etc/ssh/ssh_config file to > cause the client to refuse to establish a ssh connection unless the > server's public key is in the client's /home/user-name/.ssh/known_hosts > file. This is useful in preventing "overly trusting users" from blindly > answering "yes" and accepting man-in-the-middle keys when connecting to > a new server. But, this does not restrict who can connect to the server.
I haven't used this setting. What happens when the server's key expires? > > I tried putting "StrictHostKeyChecking yes" in the server's > /etc/ssh/sshd_config file but I got a "bad configuration option" error. StrictHostKeyChecking is a client configuration directive, not a server one. > My server's /etc/ssh/sshd_config file has "PublicKeyAuthentication yes" Good > and "PasswordAuthentication no". Any other methods allowed? > I am uneasy about experimenting with > PublicKeyAuthentication without having a better understanding of what it > really does. I don't want to turn off any authentication features or > turn off any encryption features and leave myself wide open but thinking > that I am secure. > The sshd_config file has pretty conservative settings by default, i.e. it disables things that are at the riskier end of the scale. Turning off PasswordAuthentication and others and using PublicKeyAuthentication should make you more secure (by that I mean you will be immune from script kiddies using password guessing scripts). You are right to be careful about what you do though. I would not recommend turning off password authentication until the end of the process unless you have local access to the server, otherwise you're on your own. You haven't actually explained what your problem is, so I'll just descibe the usual setup. The server has a certificate so that you know who they are, and you get this bit and have set it up. The client has a key, this is slightly different, as their is no web of trust or similar, the client just has to prove knowledge of that secret. You have to create a key for each client. This is easily done with ssh-keygen -t rsa on the client machine. You then need to get this key to the server so that it can check it with the client. The easiest way to do this is with ssh-copy-id -i ~/.ssh/id_rsa.pub [EMAIL PROTECTED] You can then ssh [EMAIL PROTECTED] and instead of being prompted to enter your password for the server you will be prompted for the passphrase on the key. Turn on debugging output from ssh if you want to confirm it is using key based authentication. Then I would recommend looking in to ssh-agent, and libpam-ssh. libpam-ssh is one of the most useful bits of software I have installed. You can get a full walkthrough here http://www.debian-administration.org/articles/152 James > > Any suggestions? > http://www.google.co.uk/search?hl=en&q=ssh+key&btnG=Google+Search&meta= -- James Westby [EMAIL PROTECTED] http://jameswestby.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
