john beamon wrote: <em>> I'd like to know just what's "normal" use for ssh. I've been running <p>You use ssh like you use rsh, rlogin, and rcp. It's not really a replacement for telnet and ftp, it's a replacement for the r* commands. Of course, with with sftp and password logins it might as well be a drop-in replacement for telnet and ftp. <em>> A friend of mine installed his box a couple times and didn't preserve the <em>> keys I had provided him. He found he couldn't ssh to my box, as I had <em>> allowed pub key-only authentication. He was trying to just "ssh john" and <em>> enter his system password, but I wasn't set up to do that. Again, this <em>> was a config I set up verbatim out of an O'Reilly article. The key in my <em>> notebook let me login from anywhere, so I never had a problem. It <em>> involved a little setup and a little help from a root user, but it worked <em>> just fine. <p>If you want telnet-like functionality turn password authentication on. <p><em>> 2. I've configured the same box to allow key or password authentication. <p>Uh, ok. <p><em>> I made myself an unencrypted key pair by "ssh-keygen -P", and it works <em>> just fine. I've been able to do identification and authorization files <em>> and connect to and from multiple boxes. Works just like before, but with <em>> my system password instead of my 20-character passphrase. The difference <em>> is that now I can ssh to that box as another user, one that has never even <em>> made keys, and login with their password. If they've never run <em>> ssh-keygen, never made a key pair, how is this different from telnet, and <em>> why did I go to the trouble? This method begs the questions "why do we <em>> need users to run ssh-keygen" and "are users who don't run ssh-keygen <em>> even encrypted during their sessions". <p>You session is now encrypted, whereas with telnet it's sent over the wire in plaintext. That's a very big difference, and worth the effort of setting up SSH alone. Remember, ssh offers both session encryption *and* authentication services. <p><em>> I'm also thinking that an encrypted key pair with a long pass <em>> phrase is a better deal, in that it avoids passing your system password in <em>> ANY form, and that a server that *requires* keys prevents any stranger With ssh it's a lot easier to manage multiple accounts from one central account. And by using ssh-agent you can easily jump from account to account using a single pair of keys. You can't do that with telnet or securely with rsh. h supports password authentication to make life easy. At a minimum, by enabling password authentication support you allow users to copy their public key to the appropriate accounts. <em> > from getting ssh access (on a telnet-free "secured" system) once <em> > they've stolen a user/pw pair. I'm game. I need to learn this. <em> > Anyone who can answer this before I do gets huge kudos from me. Well, ssh doesn't solve everything. Most users do not encrypt their private keys, so the only thing that an attacker needs to do is [still] get the username and password and crack for the key-hosting box! At that point she has access to everything that user did, and not just that single account. This is one reason why a lot of admins will not allow ssh access to root accounts. Even with ssh users still have to su to root. I'm not that bad, but I do normally disallow root access on public servers. All in all, ssh is a better solution than most other remote access services. However, keep in mind it's not a perfect solution. Oh, and with ssh you can write very nifty scripts to do things on other boxes like you could with rsh in the old days. (Or so I hear--I'm not that old. Hmm, John H. can probably tell you some good stories though..) Regards, Dustin <p> -- Dustin Puryear <[EMAIL PROTECTED]> http://members.telocity.com/~dpuryear In the beginning the Universe was created. This has been widely regarded as a bad move. - Douglas Adams ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
<!-- body="end" --> <hr noshade> <ul> <li><strong>Next message:</strong> John Hebert: "[brluglist] meeting room reserved for 6pm on 7/2/01 at Gatti's near LSU" <li><strong>Previous message:</strong> john beamon: "[brluglist] ssh questions" <li><strong>In reply to:</strong> john beamon: "[brluglist] ssh questions" <li><strong>Messages sorted by:</strong> [ date ] [ thread ] [ subject ] [ author ] [ attachment ] </ul> <hr noshade> <small> <em> This archive was generated by hypermail 2.1.2 : <em>Thu Sep 06 2001 - 11:10:53 CDT</em> </em> </small> </body> </html>
