Re: SSH and RSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, Some notes: this example is done with OpenSSH from a Debian/GNU Linux Box to a Sun Enterprise 250 running Solaris 8 SSH Protocol Version 1.5 if you need it I can send you a example with Protocol Version 2. [EMAIL PROTECTED] ]$ ssh-keygen [EMAIL PROTECTED] ]$ cd ~/.ssh [EMAIL PROTECTED] ]$ scp identity.pub [EMAIL PROTECTED]:/.ssh/[EMAIL PROTECTED] [EMAIL PROTECTED] ]$ ssh -l root remotebox [EMAIL PROTECTED] cd ~/.ssh [EMAIL PROTECTED] pwd /.ssh [EMAIL PROTECTED] cat [EMAIL PROTECTED] >> authorized-keys [EMAIL PROTECTED] exit [EMAIL PROTECTED] ]$ ssh -l root remotebox Now enter the passphrase you've used when you kreated your keys with ssh-keygen and that's it :-) greets Doc aka. Uwe A. P. Wuerdinger - -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6kiwUt+9CfNoR4PERAoWOAJ9bhJmZKl++Q4206jYCMdbuWh3GqwCgnarR NlfOEep6Mu3i7okvVU8Ur0I= =h9ZT -END PGP SIGNATURE-
Re: SSH and RSA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, Some notes: this example is done with OpenSSH from a Debian/GNU Linux Box to a Sun Enterprise 250 running Solaris 8 SSH Protocol Version 1.5 if you need it I can send you a example with Protocol Version 2. [me@localbox ]$ ssh-keygen [me@localbox ]$ cd ~/.ssh [me@localbox ]$ scp identity.pub root@remotebox:[EMAIL PROTECTED] [me@localbox ]$ ssh -l root remotebox [root@remotebox]$ cd ~/.ssh [root@remotebox]$ pwd /.ssh [root@remotebox]$ cat [EMAIL PROTECTED] >> authorized-keys [root@remotebox]$ exit [me@localbox ]$ ssh -l root remotebox Now enter the passphrase you've used when you kreated your keys with ssh-keygen and that's it :-) greets Doc aka. Uwe A. P. Wuerdinger - -- X-Tec GmbH Institute for Computer and Network Security WWW : http://www.x-tec.de/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6kiwUt+9CfNoR4PERAoWOAJ9bhJmZKl++Q4206jYCMdbuWh3GqwCgnarR NlfOEep6Mu3i7okvVU8Ur0I= =h9ZT -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH and RSA
Olaf Meeuwissen wrote: Stephen Andrew <[EMAIL PROTECTED]> writes: Mike Dresser wrote:You don't mention whether the previous admin is still with you, but if not, you'll want to remove his RSA keys from the server, or else you can change your root password all you want,and he'll still be able to connect, assuming he can get to themachine via your network/internet.Mike has an exceptionally pertinant point here.Right now - even before you start trying to load your own RSA keyin, log into all machines running SSH and remove the previous adminskey from ~root/.ssh/authorized_keys; Be paranoid. Remove the ~root/.shh/autohorized_keys from all boxen(you might want to move it out of the way till you're set up though)and start from scratch. As the admin you want to know who can get inas root on your machines. Besides script kiddies of course :-)There was a good mini HOWTO kind of posting on debian-user a whileback that got me started without much trouble. The original is at: http://home.netcom.com/~kmself/Linux/FAQs/sshrsakey.htmlHope this helps, Thanks all for the prompt responses... The url and the advice helped immensely, I got it working. thanks -- D U A N E P O W E R S [EMAIL PROTECTED]The plan was simple. Unfortunately, so was Bullwinkle.
Re: SSH and RSA
Stephen Andrew <[EMAIL PROTECTED]> writes: > > Mike Dresser wrote: > > > > > You don't mention whether the previous admin is still with > > you, but if not, you'll want to remove his RSA keys from the > > server, or else you can change your root password all you want, > > and he'll still be able to connect, assuming he can get to the > > machine via your network/internet. > > Mike has an exceptionally pertinant point here. > > Right now - even before you start trying to load your own RSA key > in, log into all machines running SSH and remove the previous admins > key from ~root/.ssh/authorized_keys; Be paranoid. Remove the ~root/.shh/autohorized_keys from all boxen (you might want to move it out of the way till you're set up though) and start from scratch. As the admin you want to know who can get in as root on your machines. Besides script kiddies of course :-) There was a good mini HOWTO kind of posting on debian-user a while back that got me started without much trouble. The original is at: http://home.netcom.com/~kmself/Linux/FAQs/sshrsakey.html Hope this helps, -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development
Re: SSH and RSA
Olaf Meeuwissen wrote: [EMAIL PROTECTED]">Stephen Andrew <[EMAIL PROTECTED]> writes: Mike Dresser wrote:You don't mention whether the previous admin is still with you, but if not, you'll want to remove his RSA keys from the server, or else you can change your root password all you want,and he'll still be able to connect, assuming he can get to themachine via your network/internet.Mike has an exceptionally pertinant point here.Right now - even before you start trying to load your own RSA keyin, log into all machines running SSH and remove the previous adminskey from ~root/.ssh/authorized_keys; Be paranoid. Remove the ~root/.shh/autohorized_keys from all boxen(you might want to move it out of the way till you're set up though)and start from scratch. As the admin you want to know who can get inas root on your machines. Besides script kiddies of course :-)There was a good mini HOWTO kind of posting on debian-user a whileback that got me started without much trouble. The original is at: http://home.netcom.com/~kmself/Linux/FAQs/sshrsakey.htmlHope this helps, Thanks all for the prompt responses... The url and the advice helped immensely, I got it working. thanks [EMAIL PROTECTED]"> -- D U A N E P O W E R S duane@lots_of_placesThe plan was simple. Unfortunately, so was Bullwinkle.
Re: SSH and RSA
Stephen Andrew <[EMAIL PROTECTED]> writes: > > Mike Dresser wrote: > > > > > You don't mention whether the previous admin is still with > > you, but if not, you'll want to remove his RSA keys from the > > server, or else you can change your root password all you want, > > and he'll still be able to connect, assuming he can get to the > > machine via your network/internet. > > Mike has an exceptionally pertinant point here. > > Right now - even before you start trying to load your own RSA key > in, log into all machines running SSH and remove the previous admins > key from ~root/.ssh/authorized_keys; Be paranoid. Remove the ~root/.shh/autohorized_keys from all boxen (you might want to move it out of the way till you're set up though) and start from scratch. As the admin you want to know who can get in as root on your machines. Besides script kiddies of course :-) There was a good mini HOWTO kind of posting on debian-user a while back that got me started without much trouble. The original is at: http://home.netcom.com/~kmself/Linux/FAQs/sshrsakey.html Hope this helps, -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: SSH and RSA
> -Original Message- > From: Duane Powers [mailto:[EMAIL PROTECTED] > Sent: Tuesday, February 20, 2001 7:37 AM > To: Mike Dresser > Cc: debian-security@lists.debian.org > Subject: Re: SSH and RSA > > > Mike Dresser wrote: > > > You don't mention whether the previous admin is still with > you, but if not, you'll want to remove his RSA keys from the > server, or else you can change your root password all you want, > and he'll still be able to connect, assuming he can get to the > machine via your network/internet. Duane, Mike has an exceptionally pertinant point here. Right now - even before you start trying to load your own RSA key in, log into all machines running SSH and remove the previous admins key from ~root/.ssh/authorized_keys; from=10.0.0.1,command="uptime" 1024 3513948513452723553495234978502397465902 3475923475089234758907234057564387523487589234750234765079234658079623457862 34076 9510950293476590175907234650934234948571390874534925902345907623490562347895 63892 4765923876589237465892374659389234752348907569234590234579013465978234658972 34658 9762349856239487562347896 Bilbo Baggins 1024 35 139485134527235534952349785023974659023475923475089234758907234057564 3875234875892347502347650792346580796234578623407951095029347659017590723465 0934 2349485713908745349259023459076234905623478956389247659238765892374658923746 5934 8923475234890756923459023457901346597823465897234658976234985623948756234789 6 Joe Random 1024 35 139485134527235534952349785023974659023475923475089234758907234057564 3875234875892347502347650792346580796234578623407951095029347659017590723465 0934 2349485713908745349259023459076234905623478956389247659238765892374658923746 5934 8923475234890756923459023457901346597823465897234658976234985623948756234789 6 Jayne Eyre Each line in this file contains some directives (as in the first entry above (from=, command=), a public key (starts with 1024 35 XXX in the examples above), and a comment, usually the name or email address of the person who generated it. Remove any appearing to belong to the previous admin. Those containing a command="..." directive will only be able to execute that command and so may be related to automated processes. To add your own key first generate it (possibly on your workstation if you are sure it is well secured) using ssh-keygen. Make sure you use a passphrase. A command like; ssh-keygen -b 1024 -f .ssh/identity -C "Joe New Admin" should suffice. Make sure that the generated .ssh/identity is not readable by any but you and shouldn't be writeable by anybody. Now copy the file .ssh/identity.pub onto all of the machines running SSH and add it to the end of ~root/.ssh/authorized_keys on each machine. You can do this using scp or even a cut-and-paste via ssh. Make sure that you do not split the line up when adding it to authorized_keys. This will give you RSA keypair authentication to all of those machines instead of password access. I would also recommend creating a non-root account to log in with and totally disallow root logins. You would be able to simply move the authorized_keys file to the non-root .ssh directory. -- Andrew J. Stephen Network Operations Manager "The important thing about standards is to have them." -- Bruce Schneier, creator of the Twofish algorithm > A couple of quick notes, I just realized that by trying to be > cute and > putting my comments in angle brackets, those among us who may > read html > mail, may not be able to see my comments (my bad). > > And second, I saw him login once, he was prompted for his RSA key as > follows: > (to the best of my recollection) > ssh [EMAIL PROTECTED] > enter RSA passkey: > # <<< remote prompt > > > > > > > Duane Powers wrote: > > > >> Hi all, > >> > >> Recently I was made administrator over a dozen Solaris boxen > >> The prior admin was offsite and used ssh with rsa keys to > access the boxes. > >> He allowed root login, and used the RSA key functionality > to keep the root > >> password safe. > >> I am not as mature as he was regarding ssh and > have only used > >> ssh as a plug in replacement to telnet, a different > >> p/w during > >> ssh-keygen> and simply access the boxes as follows: ssh -l > > >> then I login using the normal p/w that is local to the > box. I have found > >> that he did > >> not need to transmit the local password over the tunnel, > but rather used > >> RSA to > >> verify his identity, but I can't find documentation on how > to do it. > >> >> Security> does anyone have any information on h
Re: SSH and RSA
On Mon, Feb 19, 2001 at 01:21:45PM -0500, Dan Hutchinson wrote: > Without SSH enabled, I was able to pass my root user account from one > trusted Solaris Box to another with an /.rhost and /etc/host.equiv file. > #cat .rhost > Doctor > > #cat /etc/host.equiv > Doctor root > > For example, Doctor would be the solaris hostname and root would be the > account. This leaves a big security hole, so I only activate it when > I am doing backups for about 4-5 hours each month. Maybe someone on > the list can help with the RSA since I am fairly new in that field also > > Dan > > Duane Powers <[EMAIL PROTECTED]> wrote: > > Hi all, > > > > Recently I was made administrator over a dozen Solaris boxen > > The prior admin was offsite and used ssh with rsa keys to access the > > boxes. > > He allowed root login, and used the RSA key functionality to keep the > > root > > password safe. > > I am not as mature as he was regarding ssh and have only used > > ssh as a plug in replacement to telnet, > > > p/w during > > ssh-keygen> and simply access the boxes as follows: ssh -l > > then I login using the normal p/w that is local to the box. I have > > found > > that he did > > not need to transmit the local password over the tunnel, but rather > > used > > RSA to > > verify his identity, but I can't find documentation on how to do it. > > > > > Security> does anyone have any information on how I can implement the > > > > same safeguards? Or where I can at least find some documentation on > > > > practical ssh implementation. > > > > As always, You guys are great, thanks in advance for the help, Hi, guys. Here's what I've got: <-- terminal copy start: --> $ ssh -v SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. <-- terminal copy snip --> $ man ssh SSH(1) System Reference Manual SSH(1) NAME ssh - OpenSSH secure shell client (remote login program) <-- terminal copy snip --> DESCRIPTION <-- terminal copy snip --> SSH protocol version 1 <-- terminal copy snip --> As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the chal- lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. <-- terminal copy snip --> <-- terminal copy end: --> I also suggest re-reading the ssh-keygen(1) manual page. To use RSA/DSA authentication you need to generate a personal log-in key pair (via ssh-keygen). Then, copy your public key to the remote machine's "$HOME/.ssh/authorized_keys" for RSA or "$HOME/.ssh/authorized_keys2" for DSA where "$HOME" is the home directory for the user as who you want to log in on the remote machine. After this step, assuming the other configuration is fine, an "$ ssh -l remote_user_name remote_host_name" should be about enough to log in to the remote machine. A piece of advice: if you want security, read all the manual documentation you have about ssh. Good luck, -- Pavel M. Penev
RE: SSH and RSA
> -Original Message- > From: Duane Powers [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 20, 2001 7:37 AM > To: Mike Dresser > Cc: [EMAIL PROTECTED] > Subject: Re: SSH and RSA > > > Mike Dresser wrote: > > > You don't mention whether the previous admin is still with > you, but if not, you'll want to remove his RSA keys from the > server, or else you can change your root password all you want, > and he'll still be able to connect, assuming he can get to the > machine via your network/internet. Duane, Mike has an exceptionally pertinant point here. Right now - even before you start trying to load your own RSA key in, log into all machines running SSH and remove the previous admins key from ~root/.ssh/authorized_keys; from=10.0.0.1,command="uptime" 1024 3513948513452723553495234978502397465902 3475923475089234758907234057564387523487589234750234765079234658079623457862 34076 9510950293476590175907234650934234948571390874534925902345907623490562347895 63892 4765923876589237465892374659389234752348907569234590234579013465978234658972 34658 9762349856239487562347896 Bilbo Baggins 1024 35 139485134527235534952349785023974659023475923475089234758907234057564 3875234875892347502347650792346580796234578623407951095029347659017590723465 0934 2349485713908745349259023459076234905623478956389247659238765892374658923746 5934 8923475234890756923459023457901346597823465897234658976234985623948756234789 6 Joe Random 1024 35 139485134527235534952349785023974659023475923475089234758907234057564 3875234875892347502347650792346580796234578623407951095029347659017590723465 0934 2349485713908745349259023459076234905623478956389247659238765892374658923746 5934 8923475234890756923459023457901346597823465897234658976234985623948756234789 6 Jayne Eyre Each line in this file contains some directives (as in the first entry above (from=, command=), a public key (starts with 1024 35 XXX in the examples above), and a comment, usually the name or email address of the person who generated it. Remove any appearing to belong to the previous admin. Those containing a command="..." directive will only be able to execute that command and so may be related to automated processes. To add your own key first generate it (possibly on your workstation if you are sure it is well secured) using ssh-keygen. Make sure you use a passphrase. A command like; ssh-keygen -b 1024 -f .ssh/identity -C "Joe New Admin" should suffice. Make sure that the generated .ssh/identity is not readable by any but you and shouldn't be writeable by anybody. Now copy the file .ssh/identity.pub onto all of the machines running SSH and add it to the end of ~root/.ssh/authorized_keys on each machine. You can do this using scp or even a cut-and-paste via ssh. Make sure that you do not split the line up when adding it to authorized_keys. This will give you RSA keypair authentication to all of those machines instead of password access. I would also recommend creating a non-root account to log in with and totally disallow root logins. You would be able to simply move the authorized_keys file to the non-root .ssh directory. -- Andrew J. Stephen Network Operations Manager "The important thing about standards is to have them." -- Bruce Schneier, creator of the Twofish algorithm > A couple of quick notes, I just realized that by trying to be > cute and > putting my comments in angle brackets, those among us who may > read html > mail, may not be able to see my comments (my bad). > > And second, I saw him login once, he was prompted for his RSA key as > follows: > (to the best of my recollection) > ssh [EMAIL PROTECTED] > enter RSA passkey: > # <<< remote prompt > > > > > > > Duane Powers wrote: > > > >> Hi all, > >> > >> Recently I was made administrator over a dozen Solaris boxen > >> The prior admin was offsite and used ssh with rsa keys to > access the boxes. > >> He allowed root login, and used the RSA key functionality > to keep the root > >> password safe. > >> I am not as mature as he was regarding ssh and > have only used > >> ssh as a plug in replacement to telnet, a different > >> p/w during > >> ssh-keygen> and simply access the boxes as follows: ssh -l > > >> then I login using the normal p/w that is local to the > box. I have found > >> that he did > >> not need to transmit the local password over the tunnel, > but rather used > >> RSA to > >> verify his identity, but I can't find documentation on how > to do it. > >> >> Security> does anyone have any information on how I can > imp
Re: SSH and RSA
Mike Dresser wrote: You don't mention whether the previous admin is still with you, but if not, you'll want to remove his RSA keys from the server, or else you can change your root password all you want, and he'll still be able to connect, assuming he can get to the machine via your network/internet. No, he's not available for help, so yes, I want to change his passwords and the keys associated with the root account. A couple of quick notes, I just realized that by trying to be cute and putting my comments in angle brackets, those among us who may read html mail, may not be able to see my comments (my bad). And second, I saw him login once, he was prompted for his RSA key as follows: (to the best of my recollection) ssh [EMAIL PROTECTED] enter RSA passkey: # <<< remote prompt Duane Powers wrote: Hi all, Recently I was made administrator over a dozen Solaris boxen The prior admin was offsite and used ssh with rsa keys to access the boxes. He allowed root login, and used the RSA key functionality to keep the root password safe. I am not as mature as he was regarding ssh and have only used ssh as a plug in replacement to telnet, and simply access the boxes as follows: ssh -l then I login using the normal p/w that is local to the box. I have found that he did not need to transmit the local password over the tunnel, but rather used RSA to verify his identity, but I can't find documentation on how to do it. does anyone have any information on how I can implement the same safeguards? Or where I can at least find some documentation on practical ssh implementation. As always, You guys are great, thanks in advance for the help, ~duane -- The plan was simple. Unfortunately, so was Bullwinkle.
Re: SSH and RSA
Hi Duane, from 'man ssh' you can find some answer: As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the chalĀ lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. ssh implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in .ssh/identity and the public key in .ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to .ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional .rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. RSA authentication is much more secure than rhosts authentication. I hope this will help you Bye On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > > ~duane > > -- > >The plan was simple. Unfortunately, so was Bullwinkle. > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: SSH and RSA
On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. Ok... check your /etc/ssh/sshd_options file You need to enable some options with RSA in their name, they are all there, only commented out by default. Next you need to go to your user's .ssh directory (the user/system you want to ssh to... so root on your solaris boxes) and create a file called authorized_keys (check the local sshd manual page for exact name, it will differer between implementations) and append your public key to it so: cat my-public-key >> ~/.ssh/authorized_keys Then you should be able to login with your key and key passphrase, and not the local account password. I just tried it on my local system and it works great (using teraterm ssh on windows to my debian linux box) Here's the line from the sshd_options file: RSAAuthentication yes More info can be found in the sshd_options file and the manual page for sshd (not ssh) ;) Have fun... > > As always, You guys are great, thanks in advance for the help, > > > ~duane > -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net and markjanssen.[com|net|org|nl] Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode pgpjNnQjA5cs0.pgp Description: PGP signature
Re: SSH and RSA
You don't mention whether the previous admin is still with you, but if not, you'll want to remove his RSA keys from the server, or else you can change your root password all you want, and he'll still be able to connect, assuming he can get to the machine via your network/internet. Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > ~duane
Re: SSH and RSA
Duane Powers wrote: > > Hi all, [ ... ] > I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? [ ... ] He probably simply generated a public/private key on his local machine, and then ftp'd (or somehow transmitted) his public key to the remote host. Somewhere within the SSH protocol, his local private key is used to sign something which is then decrypted by the remote public key. Only someone who holds the correct private key would be able to sign something which could be decrypted by the public key so this authorises client (you) to the server. To set this up, you just have to do ssh-keygen locally then append ~local_user/.ssh/identity.pub to ~remote_user/.ssh/authorized_keys. You should then be able to do "ssh -l remote_user foo.com" without being asked for a password. I think that's right, but check the manpages anyway. -- [EMAIL PROTECTED] Web: http://houseofmoran.com/ AvantGo: http://houseofmoran.com/Lite/
Re: SSH and RSA
Without SSH enabled, I was able to pass my root user account from one trusted Solaris Box to another with an /.rhost and /etc/host.equiv file. #cat .rhost Doctor #cat /etc/host.equiv Doctor root For example, Doctor would be the solaris hostname and root would be the account. This leaves a big security hole, so I only activate it when I am doing backups for about 4-5 hours each month. Maybe someone on the list can help with the RSA since I am fairly new in that field also Dan Duane Powers <[EMAIL PROTECTED]> wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the > boxes. > He allowed root login, and used the RSA key functionality to keep the > root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, > p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have > found > that he did > not need to transmit the local password over the tunnel, but rather > used > RSA to > verify his identity, but I can't find documentation on how to do it. > > Security> does anyone have any information on how I can implement the > > same safeguards? Or where I can at least find some documentation on > > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > > ~duane > > -- > >The plan was simple. Unfortunately, so was Bullwinkle. > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com
Re: SSH and RSA
On Mon, Feb 19, 2001 at 01:21:45PM -0500, Dan Hutchinson wrote: > Without SSH enabled, I was able to pass my root user account from one > trusted Solaris Box to another with an /.rhost and /etc/host.equiv file. > #cat .rhost > Doctor > > #cat /etc/host.equiv > Doctor root > > For example, Doctor would be the solaris hostname and root would be the > account. This leaves a big security hole, so I only activate it when > I am doing backups for about 4-5 hours each month. Maybe someone on > the list can help with the RSA since I am fairly new in that field also > > Dan > > Duane Powers <[EMAIL PROTECTED]> wrote: > > Hi all, > > > > Recently I was made administrator over a dozen Solaris boxen > > The prior admin was offsite and used ssh with rsa keys to access the > > boxes. > > He allowed root login, and used the RSA key functionality to keep the > > root > > password safe. > > I am not as mature as he was regarding ssh and have only used > > ssh as a plug in replacement to telnet, > > > p/w during > > ssh-keygen> and simply access the boxes as follows: ssh -l > > then I login using the normal p/w that is local to the box. I have > > found > > that he did > > not need to transmit the local password over the tunnel, but rather > > used > > RSA to > > verify his identity, but I can't find documentation on how to do it. > > > > > Security> does anyone have any information on how I can implement the > > > > same safeguards? Or where I can at least find some documentation on > > > > practical ssh implementation. > > > > As always, You guys are great, thanks in advance for the help, Hi, guys. Here's what I've got: <-- terminal copy start: --> $ ssh -v SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. <-- terminal copy snip --> $ man ssh SSH(1) System Reference Manual SSH(1) NAME ssh - OpenSSH secure shell client (remote login program) <-- terminal copy snip --> DESCRIPTION <-- terminal copy snip --> SSH protocol version 1 <-- terminal copy snip --> As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the chal- lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. <-- terminal copy snip --> <-- terminal copy end: --> I also suggest re-reading the ssh-keygen(1) manual page. To use RSA/DSA authentication you need to generate a personal log-in key pair (via ssh-keygen). Then, copy your public key to the remote machine's "$HOME/.ssh/authorized_keys" for RSA or "$HOME/.ssh/authorized_keys2" for DSA where "$HOME" is the home directory for the user as who you want to log in on the remote machine. After this step, assuming the other configuration is fine, an "$ ssh -l remote_user_name remote_host_name" should be about enough to log in to the remote machine. A piece of advice: if you want security, read all the manual documentation you have about ssh. Good luck, -- Pavel M. Penev -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SSH and RSA
Hi all, Recently I was made administrator over a dozen Solaris boxen The prior admin was offsite and used ssh with rsa keys to access the boxes. He allowed root login, and used the RSA key functionality to keep the root password safe. I am not as mature as he was regarding ssh and have only used ssh as a plug in replacement to telnet, p/w during ssh-keygen> and simply access the boxes as follows: ssh -l then I login using the normal p/w that is local to the box. I have found that he did not need to transmit the local password over the tunnel, but rather used RSA to verify his identity, but I can't find documentation on how to do it. Security> does anyone have any information on how I can implement the same safeguards? Or where I can at least find some documentation on practical ssh implementation. As always, You guys are great, thanks in advance for the help, ~duane -- The plan was simple. Unfortunately, so was Bullwinkle.
Re: SSH and RSA
Mike Dresser wrote: > You don't mention whether the previous admin is still with you, but if not, > you'll want to remove his RSA keys from the server, or else you can change your > root password all you want, and he'll still be able to connect, assuming he can > get to the machine via your network/internet. No, he's not available for help, so yes, I want to change his passwords and the keys associated with the root account. A couple of quick notes, I just realized that by trying to be cute and putting my comments in angle brackets, those among us who may read html mail, may not be able to see my comments (my bad). And second, I saw him login once, he was prompted for his RSA key as follows: (to the best of my recollection) ssh [EMAIL PROTECTED] enter RSA passkey: # <<< remote prompt > > > Duane Powers wrote: > >> Hi all, >> >> Recently I was made administrator over a dozen Solaris boxen >> The prior admin was offsite and used ssh with rsa keys to access the boxes. >> He allowed root login, and used the RSA key functionality to keep the root >> password safe. >> I am not as mature as he was regarding ssh and have only used >> ssh as a plug in replacement to telnet, > p/w during >> ssh-keygen> and simply access the boxes as follows: ssh -l >> then I login using the normal p/w that is local to the box. I have found >> that he did >> not need to transmit the local password over the tunnel, but rather used >> RSA to >> verify his identity, but I can't find documentation on how to do it. >> > Security> does anyone have any information on how I can implement the >> same safeguards? Or where I can at least find some documentation on >> practical ssh implementation. >> >> As always, You guys are great, thanks in advance for the help, >> >> ~duane > -- The plan was simple. Unfortunately, so was Bullwinkle. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH and RSA
Hi Duane, from 'man ssh' you can find some answer: As a third authentication method, ssh supports RSA based authentication. The scheme is based on public-key cryptography: there are cryptosystems where encryption and decryption are done using separate keys, and it is not possible to derive the decryption key from the encryption key. RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. The file $HOME/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The server checks if this key is permitted, and if so, sends the user (actually the ssh program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. The challenge can only be decrypted using the proper private key. The user's client then decrypts the chalĀ lenge using the private key, proving that he/she knows the private key but without disclosing it to the server. ssh implements the RSA authentication protocol automatically. The user creates his/her RSA key pair by running ssh-keygen(1). This stores the private key in .ssh/identity and the public key in .ssh/identity.pub in the user's home directory. The user should then copy the identity.pub to .ssh/authorized_keys in his/her home directory on the remote machine (the authorized_keys file corresponds to the conventional .rhosts file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. RSA authentication is much more secure than rhosts authentication. I hope this will help you Bye On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > > ~duane > > -- > >The plan was simple. Unfortunately, so was Bullwinkle. > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH and RSA
On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. Ok... check your /etc/ssh/sshd_options file You need to enable some options with RSA in their name, they are all there, only commented out by default. Next you need to go to your user's .ssh directory (the user/system you want to ssh to... so root on your solaris boxes) and create a file called authorized_keys (check the local sshd manual page for exact name, it will differer between implementations) and append your public key to it so: cat my-public-key >> ~/.ssh/authorized_keys Then you should be able to login with your key and key passphrase, and not the local account password. I just tried it on my local system and it works great (using teraterm ssh on windows to my debian linux box) Here's the line from the sshd_options file: RSAAuthentication yes More info can be found in the sshd_options file and the manual page for sshd (not ssh) ;) Have fun... > > As always, You guys are great, thanks in advance for the help, > > > ~duane > -- Mark Janssen Unix Consultant @ SyConOS IT E-mail: [EMAIL PROTECTED]GnuPG Key Id: 357D2178 http: markjanssen.homeip.net and markjanssen.[com|net|org|nl] Fax/VoiceMail: +31 20 8757555 Finger for GPG and GeekCode PGP signature
Re: SSH and RSA
You don't mention whether the previous admin is still with you, but if not, you'll want to remove his RSA keys from the server, or else you can change your root password all you want, and he'll still be able to connect, assuming he can get to the machine via your network/internet. Duane Powers wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the boxes. > He allowed root login, and used the RSA key functionality to keep the root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? Or where I can at least find some documentation on > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > ~duane -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH and RSA
Duane Powers wrote: > > Hi all, [ ... ] > I have found > that he did > not need to transmit the local password over the tunnel, but rather used > RSA to > verify his identity, but I can't find documentation on how to do it. > Security> does anyone have any information on how I can implement the > same safeguards? [ ... ] He probably simply generated a public/private key on his local machine, and then ftp'd (or somehow transmitted) his public key to the remote host. Somewhere within the SSH protocol, his local private key is used to sign something which is then decrypted by the remote public key. Only someone who holds the correct private key would be able to sign something which could be decrypted by the public key so this authorises client (you) to the server. To set this up, you just have to do ssh-keygen locally then append ~local_user/.ssh/identity.pub to ~remote_user/.ssh/authorized_keys. You should then be able to do "ssh -l remote_user foo.com" without being asked for a password. I think that's right, but check the manpages anyway. -- [EMAIL PROTECTED] Web: http://houseofmoran.com/ AvantGo: http://houseofmoran.com/Lite/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: SSH and RSA
Without SSH enabled, I was able to pass my root user account from one trusted Solaris Box to another with an /.rhost and /etc/host.equiv file. #cat .rhost Doctor #cat /etc/host.equiv Doctor root For example, Doctor would be the solaris hostname and root would be the account. This leaves a big security hole, so I only activate it when I am doing backups for about 4-5 hours each month. Maybe someone on the list can help with the RSA since I am fairly new in that field also Dan Duane Powers <[EMAIL PROTECTED]> wrote: > Hi all, > > Recently I was made administrator over a dozen Solaris boxen > The prior admin was offsite and used ssh with rsa keys to access the > boxes. > He allowed root login, and used the RSA key functionality to keep the > root > password safe. > I am not as mature as he was regarding ssh and have only used > ssh as a plug in replacement to telnet, > p/w during > ssh-keygen> and simply access the boxes as follows: ssh -l > then I login using the normal p/w that is local to the box. I have > found > that he did > not need to transmit the local password over the tunnel, but rather > used > RSA to > verify his identity, but I can't find documentation on how to do it. > > Security> does anyone have any information on how I can implement the > > same safeguards? Or where I can at least find some documentation on > > practical ssh implementation. > > As always, You guys are great, thanks in advance for the help, > > > ~duane > > -- > >The plan was simple. Unfortunately, so was Bullwinkle. > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
SSH and RSA
Hi all, Recently I was made administrator over a dozen Solaris boxen The prior admin was offsite and used ssh with rsa keys to access the boxes. He allowed root login, and used the RSA key functionality to keep the root password safe. I am not as mature as he was regarding ssh and have only used ssh as a plug in replacement to telnet, and simply access the boxes as follows: ssh -l then I login using the normal p/w that is local to the box. I have found that he did not need to transmit the local password over the tunnel, but rather used RSA to verify his identity, but I can't find documentation on how to do it. does anyone have any information on how I can implement the same safeguards? Or where I can at least find some documentation on practical ssh implementation. As always, You guys are great, thanks in advance for the help, ~duane -- The plan was simple. Unfortunately, so was Bullwinkle. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
