Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

Ahh, thanks Greg, I can now see those missing parts of the article -- it was NoScript, but, seeing most of the graphics in the article, somehow NoScript didn't come to mind as the cause of the problem. On Friday, June 03, 2022 02:29:45 PM Greg Wooledge wrote: > On Fri, Jun 03, 2022 at

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

On Fri, Jun 3, 2022 at 13:46 wrote: > On Friday, June 03, 2022 02:16:45 PM Tom Browder wrote: > > I briefly looked at the article and didn't notice anything missing. Maybe > > if you could take some screen shots in those areas we could help. > > Thanks for the reply, and thanks, I'll do that. >

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

On 6/3/22 08:46, rhkra...@gmail.com wrote: On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote: I have been using ssh for logging in to my remote hosts for many years, but I have NOT been using ssh-agent. I'm intentionally not addressing your specific questions. For me, your post

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

On Fri, Jun 03, 2022 at 01:16:45PM -0500, Tom Browder wrote: > On Fri, Jun 3, 2022 at 10:46 wrote: > > <https://betterprogramming.pub/how-to-use-ssh-certificates-for-scalable-secure-and-more-transparent-server-access-720a87af6617?gi=8a3ac1f658bc> > > > > On

Re: How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

On Fri, Jun 3, 2022 at 10:46 wrote: > On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote: > > I have been using ssh for logging in to my remote hosts for many years, > but > > I have NOT been using ssh-agent. > > I'm intentionally not addressing your specific question

How about ssh certificates (was: Re: ssh-agent: I want to start using on all my remote hosts)

On Friday, June 03, 2022 10:43:53 AM Tom Browder wrote: > I have been using ssh for logging in to my remote hosts for many years, but > I have NOT been using ssh-agent. I'm intentionally not addressing your specific questions. For me, your post is rather timely, because I'm digging in

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

gged in) > > 2. after initial setup, no ssh access will be allowed via a password > > I have seen much documentation on securing such a host, but I don't > want to be an expert--I just need a recipe. > You need to open /etc/ssh/sshd_config and the right settings are obvious fro

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 2/18/2016 5:05 PM, Roman wrote: > Seriously, you have to trust someone to achieve goals. So accessing > server via ssh keys is pretty normal and secure + ldaps auth of course > (centralized account management), so if someone leaves, just disable > his account. sudo supports lda

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Fri, Feb 19, 2016 at 09:30:20AM +1300, Richard Hector wrote: > That then means that you don't get to choose which people have root on > which boxes - anyone who gets the rule gets the lot. And that includes > anyone who leaves, of course. Yes, but a leaked root password for one host does not

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: > >2. after initial setup, no ssh access will be allowed via a password > > $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_confi

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wednesday 17 February 2016 14:24:02 Darac Marjal wrote: > >2. after initial setup, no ssh access will be allowed via a password > > $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config That's a bad idea: You may end up with 2 PasswordAuthentication e

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Please don't cc me; I'm on the list] On 19/02/16 11:05, Roman wrote: > 2016-02-18 22:30 GMT+02:00 Richard Hector >: > > > > I think a better solution in the end is to generate a random password > for each box, and leave it, on

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

rver and connect it to another machine, then just replace the hash to one you know password for in /etc/shadow. Place your drive back and boot up. After you finish the work, change your root password again to some crazy piece of random. ;-) Seriously, you have to trust someone to achieve goals. So

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 18/02/16 11:02, Jeremy T. Bouse wrote: >>> I do agree locking the root password isn't advisable. As I use >>> >> configuration management/automation to handle my servers I simply set the >>> >> root password to generated password that only I know the algorithm to >>> >> reproduce it when I

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 4:02 PM, Jeremy T. Bouse wrote: > On 2/17/2016 3:31 PM, Tom Browder wrote: >> On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse >> wrote: ... >>> I do agree locking the root password isn't advisable. As I use >>>

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On 2/17/2016 3:31 PM, Tom Browder wrote: > On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse > <jeremy.bo...@undergrid.net> wrote: >> Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good >> starts... I'd also check that "Chal

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse <jeremy.bo...@undergrid.net> wrote: > Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good > starts... I'd also check that "ChallengeResponseAuthentication no" is set as > well as

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good starts... I'd also check that "ChallengeResponseAuthentication no" is set as well as some PAM modules will utilize it and be able to get around passwords being entered as well as "UsePAM n

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 17, 2016 at 04:26:28PM +0100, Peter Ludikovsky wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > More or less. What I wouldn't agree with is locking the root account > completely, because, like Thomas said, you'll be locked out

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 More or less. What I wouldn't agree with is locking the root account completely, because, like Thomas said, you'll be locked out should you ever be dropped to a rescue shell due to an hardware error. Regards, /peter Am 17.02.2016 um 15:56 schrieb

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:24 AM, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: >> >> I have several remote Debian 7 servers and would like to secure it in >> the following manner: ... I can follow that! Thanks so much, Darac. Best,

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky wrote: > -BEGIN PGP SIGNED MESSAGE- ... Thanks, Peter. Do you agree with Darac's solution? Best, -Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote: > On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote: > >I have several remote Debian 7 servers and would like to secure it in > >the following manner: > > > >1. root will not be

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, The first requirement is simple. Add the line PermitRootLogin no or change it accordingly, and reload the SSH daemon. For the second: do you want to disallow any logins via passwords, or are the to be allowed once to set up the keys? The first

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

but users can still elevate to root by using sudo. 2. after initial setup, no ssh access will be allowed via a password $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config $ sudo service ssh restart I have seen much documentation on securing such a ho

Debian security: need recipe for blocking root ssh access AND all ssh password access

I have several remote Debian 7 servers and would like to secure it in the following manner: 1. root will not be allowed any external access (access is only via a user becoming root while logged in) 2. after initial setup, no ssh access will be allowed via a password I have seen much

Re: zelfde LANG op ssh server als op ssh client

Op 2013-12-27 om 09:52 schreef Paul van der Vlis: Op 26-12-13 17:52, Geert Stappers schreef: Hoi, Op de client computer waar ik een ssh sessie start, is LANG=en_US. In /etc/ssh/ssh_config staat onder andere SendEnv LANG LC_* De server waar de ssh-sessie naar toe gaat

Re: ssh, ssh-agent und ssh-keys

On Sun, 2 Feb 2003 22:41:09 +0100, Kai Weber [EMAIL PROTECTED] wrote: * Marc Haber [EMAIL PROTECTED]: Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh-agent? Man muss keine XSession

Re: ssh, ssh-agent und ssh-keys

* Marc Haber [EMAIL PROTECTED]: Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh-agent? Man muss keine XSession starten, um in den Genuss eines laufenden ssh-agent'en samt gemerkten

Re: ssh, ssh-agent und ssh-keys

On Wed, 29 Jan 2003 17:51:32 +0100, Torsten Wolf [EMAIL PROTECTED] wrote: Da sollte Dir keychain - An OpenSSH key manager weiterhelfen. Was genau ist der Vorteil von keychain im Vergleich zu use-ssh-agent in /etc/X11/Xsession.options in Verbindung mit /etc/X11/Xsession.d/90xfree86-common_ssh

Re: ssh, ssh-agent und ssh-keys

Hallo Andreas, * Andreas Metzler [EMAIL PROTECTED] [29-01-03 23:00]: ssh-askpass? Danke für den Tip, genau das Proggi hat mir noch gefehlt. -- Gruss Matthias -- Häufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine

Re: ssh, ssh-agent und ssh-keys

am 29.01.2003, um 23:00:29 +0100 mailte Andreas Metzler folgendes: Unter $ANDERE_DISTRI hatte ich es geschafft, daß nach Login via KDM ich nach dem Passphrase gefragt wurde. War ein kleines Fensterle, wo man das eintippsen mußte. [...] ssh-askpass? Ja, genau. apt-get install ssh

Re: ssh, ssh-agent und ssh-keys

: if [ $PS1 ]; then ... case $TERM in xterm*) ... [ -z $SSH_TTY ] ssh-add -l /dev/null || ssh-add ~/.ssh/id_dsa ;; *) ;; esac ... fi Damit wird beim (lokalen) Öffnen eines xterms überprüft, ob der ssh-agent schon meinen Key kennt. Wenn nicht, dann

Re: ssh, ssh-agent und ssh-keys

Hallo Andreas, * Andreas Kretschmer [EMAIL PROTECTED] [30-01-03 11:11]: Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? Ich hab in meiner .Xsession einfach ssh-add eingetragen, ssh-add ruft dann automatisch ssh-askpass

Re: ssh, ssh-agent und ssh-keys

On Thu, 30 Jan 2003 11:11:17 +0100, Andreas Kretschmer wrote: ssh-askpass? Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? ssh-add ruft automagisch ssh-askpass auf, wenn ssh-add keine kein Terminal hat um nach dem

Re: ssh, ssh-agent und ssh-keys

On Don, 30 Jan 2003, Andreas Kretschmer wrote: Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? /etc/X11/Xsession.options siehe Xsession.options(5) Herzliche Grüße Norbert

Re: ssh, ssh-agent und ssh-keys

. [...] ssh-askpass? Ja, genau. apt-get install ssh-askpass habe ich gemacht, aber wie erreiche ich, daß es an passender Stelle aufgerufen wird? Das Programm wird von ssh-add aufgerufen, wenn ssh-add in deiner .xsession aufgerufen wird. $ cat .xsession ... /usr/bin/ssh-add exec blackbox

Re: ssh, ssh-agent und ssh-keys

am 30.01.2003, um 12:30:23 +0100 mailte Reinhard Foerster folgendes: ssh-add ruft automagisch ssh-askpass auf, wenn ssh-add keine kein Terminal hat um nach dem Paßwort zu fragen Das Thema hatten wir doch kürzlich erst: http://mailman.schlittermann.de/pipermail/lug-dd/2003-January/019367

ssh, ssh-agent und ssh-keys

Hi, ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession

Re: ssh, ssh-agent und ssh-keys

am 29.01.2003, um 15:31:45 +0100 mailte Matthias Fechner folgendes: Hi, ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das

Re: ssh, ssh-agent und ssh-keys

On Mit, 29 Jan 2003, Matthias Fechner wrote: Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. Da sollte Dir keychain - An OpenSSH key manager weiterhelfen. Gruß Torsten -- Häufig gestellte Fragen und

Re: ssh, ssh-agent und ssh-keys

On Wed, Jan 29, 2003 at 03:31:45PM +0100, Matthias Fechner wrote: ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht. Aber wie kann ich erreichen, das ich die

Re: ssh, ssh-agent und ssh-keys

On Wed, 29 Jan 2003 15:31:45 +0100, Matthias Fechner wrote: Aber wie kann ich erreichen, das ich die passphrase nur einmal eingeben muss, z.B. solange meine xsession läuft oder für eine bestimmte Zeit. Die ganze X-Session sollte aus Kindprozessen des ssh-agent bestehen. Dann gibst du dem ssh

Re: ssh, ssh-agent und ssh-keys

Andreas Kretschmer [EMAIL PROTECTED] wrote: am 29.01.2003, um 15:31:45 +0100 mailte Matthias Fechner folgendes: ich möchte ssh bei mir jetzt gerne so umstellen, das ich mit ssh-key's arbeiten kann(das geht jetzt schon). Dieser Key soll mit einer passphrase geschützt sein, was auch schon geht

potato not affected by SSH bug (was Re: debian potato's SSH not affected by SSH bug?)

then openssh2.3.1 is not affected by these specific vulnerabilties. and even in the newer ones its only vulnerable under a specific set of circumstances. and even then only affect SSH protocol 2. hardly the bug it was hyped to be. i guess thats good news though :) as colin(i think) mentioned

debian potato's SSH not affected by SSH bug?

i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable to this bug. which

Re: debian potato's SSH not affected by SSH bug?

nate wrote: i sent a message to bugtraq a couple minutes ago asking the people on the list if any other versions were tested. hoping that it gets approved, usually takes a few hours or a day to make it through. but the way I read the advisory debian potato's SSH should not be vulnerable

Re: debian potato's SSH not affected by SSH bug?

quote who=Phil Brutsche No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. Note that the upgraded openssh packages require update openssl packages; it looks like the new

Re: debian potato's SSH not affected by SSH bug?

On Wed, Jun 26, 2002 at 01:58:29PM -0500, Phil Brutsche wrote: No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. That advisory predates the release of full information

Re: debian potato's SSH not affected by SSH bug?

On Wed, Jun 26, 2002 at 02:10:58PM -0500, Dave Sherohman wrote: Would the security team please issue an official update to the advisory indicating whether, now that further information on the vulnerability has been released, existing (pre-3.3) debian ssh packages are believed to be affected

Re: debian potato's SSH not affected by SSH bug?

Phil Brutsche [EMAIL PROTECTED] writes: No, potato's ssh packages are vunlerable and updates have been made available; DSA-134 contains all the necessary information: http://www.debian.org/security/2002/dsa-134. That DSA does not contain all the information currently available, because

ssh or not to ssh

Ok, new scenario. 3 debian unstable boxes. 3 2.4.2 kernels. 3 boxes all upgraded to latest dist-upgrade yesterday. 1 box will take ssh logins the other deny. I get the standard /etc/motd, then a line saying: setgid: Operation not permitted Connection to vanguard closed. I've checked

Re: ssh or not to ssh

On Tue, 6 Mar 2001, Robert L. Harris wrote: Ok, new scenario. 3 debian unstable boxes. 3 2.4.2 kernels. 3 boxes all upgraded to latest dist-upgrade yesterday. 1 box will take ssh logins the other deny. I get the standard /etc/motd, then a line saying: setgid: Operation not permitted

Re: ssh or not to ssh

Will do when I get home. Thanks. Robert Thus spake Gavin Hamill ([EMAIL PROTECTED]): On Tue, 6 Mar 2001, Robert L. Harris wrote: Ok, new scenario. 3 debian unstable boxes. 3 2.4.2 kernels. 3 boxes all upgraded to latest dist-upgrade yesterday. 1 box will take ssh logins

Re: Is ssh 2 incompatible with ssh 1?

, lsh will not yield a true free version of ssh which is what the world _urgently_ needs. Greetings Marc -- -- !! No courtesy copies, please !! - Marc Haber |Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning

Re: Is ssh 2 incompatible with ssh 1?

On Fri, Apr 23, 1999 at 23:40:57 +, Marc Haber wrote: However, I have been told that lsh uses scheme which is not free in a Debian sense. Thus, lsh will not yield a true free version of ssh which is what the world _urgently_ needs. You're misinformed. - Scheme is a programming language

Is ssh 2 incompatible with ssh 1?

Hi all: I've installed ssh 2.10 and tried to connect to my school via ssh (I know that they run ssh protocol) and got the following: bash-2.01$ ssh cdf.utoronto.ca Disconnected; protocol version not supported. They are using vershio 1, AFAIK. Does this mean that v.2 is incompatible

Re: Is ssh 2 incompatible with ssh 1?

On 23 Apr 1999, Arcady Genkin wrote: I've installed ssh 2.10 and tried to connect to my school via ssh (I know that they run ssh protocol) and got the following: bash-2.01$ ssh cdf.utoronto.ca Disconnected; protocol version not supported. They are using vershio 1, AFAIK. Does

Re: Is ssh 2 incompatible with ssh 1?

On 23 Apr 1999, Arcady Genkin wrote: Hi all: I've installed ssh 2.10 and tried to connect to my school via ssh (I know that they run ssh protocol) and got the following: bash-2.01$ ssh cdf.utoronto.ca Disconnected; protocol version not supported. They are using

Re: Is ssh 2 incompatible with ssh 1?

On Fri, Apr 23, 1999 at 10:10:18 -0400, Dan Brosemer wrote: The other option is to can ssh2 (and I would just because of the licensing differences) SSH2, while having a license that is more evil than SSH1, is based on version 2 of the SSH protocol, which is much more friendly for free software

Re: Is ssh 2 incompatible with ssh 1?

On Friday, April 23, 1999 at 10:06:19 -0400, Arcady Genkin wrote: From: Arcady Genkin [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] X-Mailer: Gnus v5.6.45/XEmacs 20.4 - Emerald Sender: Arcady Genkin [EMAIL PROTECTED] I've installed ssh 2.10 and tried to connect to my school via ssh

Re: Is ssh 2 incompatible with ssh 1?

Sender: Arcady Genkin [EMAIL PROTECTED] I've installed ssh 2.10 and tried to connect to my school via ssh (I know that they run ssh protocol) and got the following: bash-2.01$ ssh cdf.utoronto.ca Disconnected; protocol version not supported. They are using vershio 1, AFAIK