Alan Altmark wrote:
On Thursday, 01/22/2009 at 11:06 EST, John Summerfield
<[email protected]> wrote:
Auditors like to think they know who did things. If I connect to your
system using ssh, how do you know it's me? All you know is that someone
connected using a public key you've approved.
Because you (should) have 'PubKeyAuthentication YES' on each server you
yes
will access. That will cause a signature to be generated using your
matching private key, which is only on your home system(s). That, in
turn, requires you to enter the password you used during ssh-keygen.
yes
Mine's null, but never mind.
To avoid having to enter your private-key-encrypting password each time
you ssh to a host, you use ssh-agent (maybe with something like keychain)
so that you only enter your password once per local login session. You
can also cause in-memory keys are purged after 'n' minutes. Hint: Don't
use the same password for each keygen and don't use the same password as
your login password, though the latter isn't too much of a problem since
you change your own password at defined intervals.
If you don't authenticate a user's public key, then its value is
significantly reduced. As the file containing the public keys is not
encrypted, you have no idea who might be in possession of it.
Now just what identifies who logged in here just now?
02:28:26 [email protected] ~ # tail /var/log/auth.log| grep ssh
Jan 23 02:28:01 mail sshd[4533]: Accepted publickey for root from
192.168.9.131 port 54877 ssh2
Jan 23 02:28:01 mail sshd[4535]: (pam_unix) session opened for user root
by root(uid=0)
02:30:33 [email protected] ~ # grep -i pub /etc/ssh/sshd_config
PubkeyAuthentication yes
02:30:38 [email protected] ~ #
The system in question's running Debian, but I don't think that makes a
difference.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
