Re: Remote administration of a server
on Thu, Jun 09, 2005 at 08:02:06PM -0400, Robert Brockway ([EMAIL PROTECTED]) wrote: > On Thu, 9 Jun 2005, Roberto C. Sanchez wrote: > > > Sadly, most people (myself included) have no passphrase on their SSH > > Hi. Using PKI with no passphrase drops the level of security > significantly (as I'm sure you know). > > > keys. I also end up bouncing aroud a variety of machines (some Fedora > > some Windows with PuTTY and some Windows with SSH.com). So the key > > thing is a pain in the but. At least on the Linux machines it is > > straightforward and I set those up when I can to use keys instead of > > passwords. > > May I introduce you to ssh-agent and ssh-add. They are a standard part of > ssh and will operate between implementations (as long as no one has broken > their implementation). > > This is the last line of my ~/.xsession file: > > ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2" If you're starting X under Debian via a display manager (gdm, kdm, wdm, xdm, etc.), you're already running ssh-agent. Check your environment, or look at /etc/ssh-* (the directory pattern used for the authorization socket). I've found most other distros are now doing this as well. Accessing ssh-agent is now as simple as "ssh-add" in a terminal, to feed your password to the agent. > After entering my passphrase as part of the login process[1] I can ssh > to boxes all over the world without so much as entering my passphrase > and I'm doing it securely. Of course you need to keep your session > secure if you are doing this (and I certainly do). You can also revoke a password (temporarially) from an agent: $ ssh-add -D # Deletes all identities from the agent $ ssh-add -x # lock agent with password $ ssh-add -X # unlock agent. $ ssh-add -t # Specify lifetime of identities (in seconds) Remember: there are 60 seconds in a minute, 3600 seconds in an hour, and 86,400 seconds in a day. Which I know from memory (nine months spent working with 24-hour, seconds-resolution data). 604,800 seconds to a week, 2,419,200 seconds per 28 day "month", and 31,536,000 seconds per (standard) year, I have to calculate still ssh, RSA authentication, & ssh-agent are lifesavers. Add to them rsync (a fast, efficient, flexible file transfer protocol), screen (a detachable terminal multiplexer), and mc (a curses-based file manager on steroids, including the ability to transfer files back and forth) and you've got the makings of highly doable remote admin. Peace. -- Karsten M. Self http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Necessity knows no law. signature.asc Description: Digital signature
Re: Remote administration of a server
Jon Dowland wrote: Hi - you appear to have the wrong date set on your computer. Your post claims to be from 07/08/05 (which to me reads '7th of august 2005', but could be interpreted as '8th july 2005, too). As you're using gmail, I'm not sure how that's happened? The wrong date is becouse my old windows instalation, which I had to use ocasionally, changed the date everytime I used it (instead of days it was counting months :-). So sometimes I didn't noticed this when I came back to Debian. I'm sending mail through Gmail using Thunderbird, so maybe this is how I "managed it". -- Mitja Podreka http://mitja.kizej.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Hi - you appear to have the wrong date set on your computer. Your post claims to be from 07/08/05 (which to me reads '7th of august 2005', but could be interpreted as '8th july 2005, too). As you're using gmail, I'm not sure how that's happened? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Fri, 17 Jun 2005, Mitja Podreka wrote: > I have ADSL connection without fixed IP, can I then set some kind of IP net > mask to restrict access from other IP? Yes you can. SSh can do this itself (if compiled against TCP Wrappers), or better you can get a firewall to do it. It is generally accepted that if you block password access and use PKI authentication only then further restricting access based on IP is not necessary. OTOH people do do this - We have one client who wanted us to do this with some of their externally visible systems. Here are a couple of things to consider: 1. The principals of least privilege and security in depth both endorse restricting the IP if you can. 2. If there is a remote exploit in sshd or something it relies on (like a library) you can rest easier if you know you've restricted access via IP. Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Once again, RSA auth for SSH works well, since there is no password a dictionary attack won't work, make the key a 1024 bit or 2048 bit ket and it'll take an extreme amount of time for any would be intruder to get past this. Of course you'll need to get the public key to yourself when you change keys, which should happen on a regular basis, as would password changes. Getting the key to yourself is relatively easy too, it can be copied through SCP to your workstation and into the relevant file in your home (unix) or in the dir where your ssh client lives (windows) - Original Message - From: Mitja Podreka To: debian-user@lists.debian.org Sent: Friday, June 17, 2005 10:05 AM Subject: Re: Remote administration of a server Steve Garcia wrote: You're pretty much correct -- the only really big problem is if something gets so wedged that you have to hit the reset button. If there is someone you can call to ask them to hit the button for you, you can handle everything else remotely with no trouble. I will have people who can press reset button for me. This is not a problem. If you have a fixed IP in China, it would be a good idea to restrict ssh access to the server so that only that IP can connect. I have ADSL connection without fixed IP, can I then set some kind of IP net mask to restrict access from other IP? -- Mitja Podreka http://mitja.kizej.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Steve Garcia wrote: You're pretty much correct -- the only really big problem is if something gets so wedged that you have to hit the reset button. If there is someone you can call to ask them to hit the button for you, you can handle everything else remotely with no trouble. I will have people who can press reset button for me. This is not a problem. If you have a fixed IP in China, it would be a good idea to restrict ssh access to the server so that only that IP can connect. I have ADSL connection without fixed IP, can I then set some kind of IP net mask to restrict access from other IP? -- Mitja Podreka http://mitja.kizej.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Robert Brockway <[EMAIL PROTECTED]>: > On Sat, 11 Jun 2005, s. keeling wrote: > > > And if anyone can get at your console, they can CTRL-ALT-Backspace to > > get to a logged in shell prompt. They may not still have your ssh-add > > No they can't. A session managed by a display manager does not fall back Yup, sorry, I don't use a DM. Sorry for the noise. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling Linux Counter #80292 - - http://www.ietf.org/rfc/rfc1855.txt Spammers! http://www.spots.ab.ca/~keeling/autospam.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Sat, 11 Jun 2005, s. keeling wrote: > And if anyone can get at your console, they can CTRL-ALT-Backspace to > get to a logged in shell prompt. They may not still have your ssh-add No they can't. A session managed by a display manager does not fall back to a shell. If you C-A-Backspace from any session managed by a display manager the display manager will respawn and you will be presented with another graphical login window. Try it. If you really find this isn't happening then something is very broken in your X config. You are probably thinking of startx which calls xinit. It does not use the ~/.xsession file - it uses ~/.xinitrc instead, although alot of people do symlink them together for convenience. If you C-A-Backspace from a session started by startx then yes you will end up back at a shell prompt unless you exec startx (or something else in the chain of processes). I haven't started my X sessions this way for more than 10 years. For some reason I've noticed a lot of people get the two methods of starting X mixed up. Man xdm and startx for more info. > I prefer to ssh-add after an "exec /usr/bin/blackbox" in ~/.xsession, The window manager must be the last thing run in ~/.xsession by definition. If you background the window manager then the session will exit as soon as you login. If you don't background the window manager then nothing after it will run (whether you exec it or not). Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Robert Brockway <[EMAIL PROTECTED]>: > On Thu, 9 Jun 2005, Roberto C. Sanchez wrote: > > > thing is a pain in the but. At least on the Linux machines it is > > straightforward and I set those up when I can to use keys instead of > > passwords. > > May I introduce you to ssh-agent and ssh-add. They are a standard part of > ssh and will operate between implementations (as long as no one has broken > their implementation). > > This is the last line of my ~/.xsession file: > > ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2" And if anyone can get at your console, they can CTRL-ALT-Backspace to get to a logged in shell prompt. They may not still have your ssh-add added keys, but they can certainly slot something in to get them the next time you use them. I prefer to ssh-add after an "exec /usr/bin/blackbox" in ~/.xsession, followed by a password protected xscreensaver. fwiw. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling Linux Counter #80292 - - http://www.ietf.org/rfc/rfc1855.txt Spammers! http://www.spots.ab.ca/~keeling/autospam.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Thu, Jun 09, 2005 at 08:02:06PM -0400, Robert Brockway wrote: > On Thu, 9 Jun 2005, Roberto C. Sanchez wrote: > > > Sadly, most people (myself included) have no passphrase on their SSH > > Hi. Using PKI with no passphrase drops the level of security > significantly (as I'm sure you know). > > > keys. I also end up bouncing aroud a variety of machines (some Fedora > > some Windows with PuTTY and some Windows with SSH.com). So the key > > thing is a pain in the but. At least on the Linux machines it is > > straightforward and I set those up when I can to use keys instead of > > passwords. > > May I introduce you to ssh-agent and ssh-add. They are a standard part of > ssh and will operate between implementations (as long as no one has broken > their implementation). > > This is the last line of my ~/.xsession file: > > ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2" > > After entering my passphrase as part of the login process[1] I can ssh to > boxes all over the world without so much as entering my passphrase and I'm > doing it securely. Of course you need to keep your session secure if you > are doing this (and I certainly do). > > [1] I can't login successful without the passphrase. > OK. I am now reformed :-) I discovered keychain (which handles both ssh-agent and gpg-agent from both an X login and a remote login. Very nifty. I also put passphrases on my keys. I figured it was about time. Though, I must admit that the clincher for me was the integration with gpg-agent so I wouldn't need to keep typing my passphrase for that. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpUW90yEW3f8.pgp Description: PGP signature
Re: Remote administration of a server
On Thu, 9 Jun 2005, Roberto C. Sanchez wrote: > Sadly, most people (myself included) have no passphrase on their SSH Hi. Using PKI with no passphrase drops the level of security significantly (as I'm sure you know). > keys. I also end up bouncing aroud a variety of machines (some Fedora > some Windows with PuTTY and some Windows with SSH.com). So the key > thing is a pain in the but. At least on the Linux machines it is > straightforward and I set those up when I can to use keys instead of > passwords. May I introduce you to ssh-agent and ssh-add. They are a standard part of ssh and will operate between implementations (as long as no one has broken their implementation). This is the last line of my ~/.xsession file: ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2" After entering my passphrase as part of the login process[1] I can ssh to boxes all over the world without so much as entering my passphrase and I'm doing it securely. Of course you need to keep your session secure if you are doing this (and I certainly do). [1] I can't login successful without the passphrase. Cheers, Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Thu, Jun 09, 2005 at 06:25:48PM -0400, Robert Brockway wrote: > On Thu, 9 Jun 2005, Marty wrote: > > PKI makes things much more difficult. An attacker would need both your > private key and your passphrase to gain entry. Brute forcing an ssh > daemon that only accepts PKI access is an intractable problem. > > > keys secure (i.e. thumb drive? Floppy? Theft issues?) > > All of the hosts I have private keys for are under my control or my > companies' control. We have some clients that move around a lot and they > do need keep their private keys on a usb drive. > > As with everything in security some risk is always involved. A hosts > administrator may be sniffing keystrokes to get your passphrase and they > may be automatically nabbing any private keys they see - but in reality > this is not likely. If you think a machine is not safe don't ssh from it. > Sadly, most people (myself included) have no passphrase on their SSH keys. I also end up bouncing aroud a variety of machines (some Fedora some Windows with PuTTY and some Windows with SSH.com). So the key thing is a pain in the but. At least on the Linux machines it is straightforward and I set those up when I can to use keys instead of passwords. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpnuenlCwcAI.pgp Description: PGP signature
Re: Remote administration of a server
On Thu, 9 Jun 2005, Marty wrote: > Regarding PKI, are there any Debian or non-Debian packages you recommend Hi Marty. The ssh related packages in Debian contain everything you need. > for this use? Can you elaborate on your reasoning here, for a > non-expert in security, or at least point to some links? I am > particularly interested in why you think PKI is better than the plain > ssh password/login procedure for this application, and how you keep your Password access is highly susceptible to a brute force attack where the attack just cycles usernames and passwords. Breaking in using a method like this isn't as hard as it first sounds as most people use fairly easily guessed usernames (eg, first names) and passwords. I regularly see attackers try this on my ssh daemons that don't accept password authentication :) PKI makes things much more difficult. An attacker would need both your private key and your passphrase to gain entry. Brute forcing an ssh daemon that only accepts PKI access is an intractable problem. > keys secure (i.e. thumb drive? Floppy? Theft issues?) All of the hosts I have private keys for are under my control or my companies' control. We have some clients that move around a lot and they do need keep their private keys on a usb drive. As with everything in security some risk is always involved. A hosts administrator may be sniffing keystrokes to get your passphrase and they may be automatically nabbing any private keys they see - but in reality this is not likely. If you think a machine is not safe don't ssh from it. Cheers, Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
Robert Brockway wrote: The key is that the console server should be no less secure than the servers who's consoles it has. This is because if someone takes control of the console server it is only a matter of time before they gain access to the other boxes. Usually this isn't a big deal as a fulltime console server would not run any services and would allow access via ssh with PKI authentication only. Regarding PKI, are there any Debian or non-Debian packages you recommend for this use? Can you elaborate on your reasoning here, for a non-expert in security, or at least point to some links? I am particularly interested in why you think PKI is better than the plain ssh password/login procedure for this application, and how you keep your keys secure (i.e. thumb drive? Floppy? Theft issues?) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Wed, 8 Jun 2005, Mitja Podreka wrote: > Can this 2nd box be my laptop or it must be something else? It can be a laptop or anything else. Basically you aim to have Linux (or another Unix) running on the laptop so you can ssh into this box and gain access to the serial console of your server through minicom (or a similar app). A box with the console of other boxes connected is sometimes called a console server (especially if this is its fulltime job). Two boxes may act as the console server for each other - as long as one is on the network you can access the console of the other. The key is that the console server should be no less secure than the servers who's consoles it has. This is because if someone takes control of the console server it is only a matter of time before they gain access to the other boxes. Usually this isn't a big deal as a fulltime console server would not run any services and would allow access via ssh with PKI authentication only. Even if a laptop did not run Linux fulltime it could be booted off Knoppix (with ssh started) to act as a parttime console server. Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
If you're confortable with the command line (or prepared to become so) this is pretty easy. not yet comfortable, but I'm trying to be You may need the console from time to time. The best option if you can manage it is to setup a serial console. The down side is this requires a 2nd box controlled either by yourself or someone you trust implicitely. Can this 2nd box be my laptop or it must be something else? Thank you for suggestions! -- Mitja Podreka http://mitja.kizej.net -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Remote administration of a server
On Sun, 7 Aug 2005, Mitja Podreka wrote: > I will have (I hope :-) no problems setting up the server, I've done that > already. What I worry about is how to administer the server from China? Will I > only lack the access to the reset button, or something more? Which software > should I use for this? What should I take special care at? If you're confortable with the command line (or prepared to become so) this is pretty easy. You can administered the box through ssh without a problem. I'm in Canada and administer boxes in various countries via ssh on a daily basis and have done so for many years. Disable password access and root access via ssh and only allow assess to user accounts through PKI authentication. You may need the console from time to time. The best option if you can manage it is to setup a serial console. The down side is this requires a 2nd box controlled either by yourself or someone you trust implicitely. With the serial console in place you can drop the box to single user mode, take if off the network, etc all from the other side of the world. With a serial console the only things you lack are access to the BIOS and the reset button. Some motherboards allow access to the BIOS through the serial console but this may be more expensive and is not a big deal IMHO. Simlarly 3rd party hardware is available to allow serial access to any BIOS but it is expensive. Some housing facilities allow you to power cycle the box via a web interface. This is useful if you accidentally halt the box. As always, just be very careful when you are root. Good luck, Rob -- Robert Brockway B.Sc. Senior Technical Consultant, OpenTrend Solutions Ltd. Ph: +1-416-669-3073 Email: [EMAIL PROTECTED] http://www.opentrend.net OpenTrend Solutions: Reliable, secure solutions to real world problems. Contributing Member of Software in the Public Interest http://www.spi-inc.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
