Thanks. I'll read up on certificates and read the link at the bottom of
your reply. It's not sinking in at the moment but hopefully it will
after a little reading.
With respect to the problem: I want to have files on my "server" at
home and have my laptop be the only "out of house" machine that can
access them. This much I have already, but I enter a password to get
in. I may be off base, but it seems like I should be able to have the
key on the laptop and get in without using a password or pass phrase.
It isn't really a big deal, but it bothers me that I think I should be
able to do it but I can't find a way.
Another application for this is that it is a server oriented way of
avoiding the man-in-the-middle issue for the first connection. I
currently have no concern over this, but it is another example.
Thank you,
Bruce
--- Begin Message ---
On (25/04/06 19:23), Bruce Corbin wrote:
> Hi All,
>
> Before you flame me --- I asked this question over in debian-ssh and
> after 24 hours I didn't have a single hit on it. So I thought I would
> try it over here.
>
> I would like to configure a Debian server to only allow clients to ssh
> in if the public keys (probably RSA keys) already reside on the hard
> drives of both machines.
>
> After spending some time in the snail book I am able to use
> "StrictHostKeyChecking yes" in the clients /etc/ssh/ssh_config file to
> cause the client to refuse to establish a ssh connection unless the
> server's public key is in the client's /home/user-name/.ssh/known_hosts
> file. This is useful in preventing "overly trusting users" from blindly
> answering "yes" and accepting man-in-the-middle keys when connecting to
> a new server. But, this does not restrict who can connect to the server.
I haven't used this setting. What happens when the server's key expires?
>
> I tried putting "StrictHostKeyChecking yes" in the server's
> /etc/ssh/sshd_config file but I got a "bad configuration option" error.
StrictHostKeyChecking is a client configuration directive, not a server
one.
> My server's /etc/ssh/sshd_config file has "PublicKeyAuthentication yes"
Good
> and "PasswordAuthentication no".
Any other methods allowed?
> I am uneasy about experimenting with
> PublicKeyAuthentication without having a better understanding of what it
> really does. I don't want to turn off any authentication features or
> turn off any encryption features and leave myself wide open but thinking
> that I am secure.
>
The sshd_config file has pretty conservative settings by default, i.e.
it disables things that are at the riskier end of the scale. Turning off
PasswordAuthentication and others and using PublicKeyAuthentication
should make you more secure (by that I mean you will be immune from
script kiddies using password guessing scripts). You are right to be
careful about what you do though.
I would not recommend turning off password authentication until the end
of the process unless you have local access to the server, otherwise you're
on your own.
You haven't actually explained what your problem is, so I'll just
descibe the usual setup.
The server has a certificate so that you know who they are, and you get
this bit and have set it up.
The client has a key, this is slightly different, as their is no web of
trust or similar, the client just has to prove knowledge of that secret.
You have to create a key for each client. This is easily done with
ssh-keygen -t rsa
on the client machine. You then need to get this key to the server so
that it can check it with the client. The easiest way to do this is with
ssh-copy-id -i ~/.ssh/id_rsa.pub [EMAIL PROTECTED]
You can then
ssh [EMAIL PROTECTED]
and instead of being prompted to enter your password for the server you
will be prompted for the passphrase on the key. Turn on debugging output
from ssh if you want to confirm it is using key based authentication.
Then I would recommend looking in to ssh-agent, and libpam-ssh.
libpam-ssh is one of the most useful bits of software I have installed.
You can get a full walkthrough here
http://www.debian-administration.org/articles/152
James
>
> Any suggestions?
>
http://www.google.co.uk/search?hl=en&q=ssh+key&btnG=Google+Search&meta=
--
James Westby
[EMAIL PROTECTED]
http://jameswestby.net/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--- End Message ---
