Re: [PLUG] ssh public/private key login authentication?
If your granting him limited access lock him from going outside his home directory tree. Enable auditing, look at the logs from time to time. Recent versions of sshd can restrict to a IP/range. A few to.start with. On Jul 4, 2014 6:35 PM, "Keith Lofstrom" wrote: > Question? > > Without getting into incompetence, impersonation, > man-in-the-middle, drugs and pipe wrenches ... > > I have a friend in another state who I want to give ssh access > to on one of my machines. If I understand ssh key exchange, > > 1) he makes a private/public key pair for openssh >1a) using a recent Linux, of course > 2) he sends me the public key over the unencrypted internet > 3) I put it in the .ssh/authorized_keys2 in his user directory > > ... and we are probably good to go, yes? Not perfect security, > but enough, I hope, to irritate a typical national spy agency. > > If necessary, we can escalate the complexity of the transfer, > (key encoded in carrier pigeon DNA - sequence DNA, eat bird) > but complication is insecure in its own way. > > Keith > > -- > Keith Lofstrom kei...@keithl.com > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] ssh public/private key login authentication?
And if you're Cisco, you also embed your private key in the firmware of your VoIP product line so you don't lose it. Just in case you wanted a really easy backdoor for the entire platform shipped with every piece of hardware. Security is important! (; On Jul 6, 2014 10:31 AM, "Russell Johnson" wrote: > > On Jul 4, 2014, at 8:38 PM, Russell Senior > wrote: > > > The main thing is that you are sure you have the right public key. > > So, you could pipe the public key through sha512sum or something and > > recite the hash over the phone to be sure it's the same at both ends. > > The public key doesn't need to be secret. > > > Those are the important bits. One of the great things about public/private > keys is it does not matter who has the public key. It only matters who has > the private key. Many people have posted their public key on their web > site, etc. > > Russell Johnson > r...@dimstar.net > > > > ___ > PLUG mailing list > PLUG@lists.pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] ssh public/private key login authentication?
On Jul 4, 2014, at 8:38 PM, Russell Senior wrote: > The main thing is that you are sure you have the right public key. > So, you could pipe the public key through sha512sum or something and > recite the hash over the phone to be sure it's the same at both ends. > The public key doesn't need to be secret. Those are the important bits. One of the great things about public/private keys is it does not matter who has the public key. It only matters who has the private key. Many people have posted their public key on their web site, etc. Russell Johnson r...@dimstar.net ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] ssh public/private key login authentication?
> "Keith" == Keith Lofstrom writes: Keith> Question? Without getting into incompetence, impersonation, Keith> man-in-the-middle, drugs and pipe wrenches ... Keith> I have a friend in another state who I want to give ssh access Keith> to on one of my machines. If I understand ssh key exchange, Keith> 1) he makes a private/public key pair for openssh 1a) using a Keith> recent Linux, of course 2) he sends me the public key over the Keith> unencrypted internet 3) I put it in the .ssh/authorized_keys2 Keith> in his user directory Keith> ... and we are probably good to go, yes? Not perfect security, Keith> but enough, I hope, to irritate a typical national spy agency. Keith> If necessary, we can escalate the complexity of the transfer, Keith> (key encoded in carrier pigeon DNA - sequence DNA, eat bird) Keith> but complication is insecure in its own way. The main thing is that you are sure you have the right public key. So, you could pipe the public key through sha512sum or something and recite the hash over the phone to be sure it's the same at both ends. The public key doesn't need to be secret. Although, theoretically national spy agency might have a big dictionary where they can look up the key pair by the public key. Also, build a continuous radar detector, so you can figure out when your "implant" is being illuminated and re-radiating your secrets. -- Russell Senior, President russ...@personaltelco.net ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] ssh public/private key login authentication?
On Fri, Jul 04, 2014 at 06:35:03PM -0700, Keith Lofstrom wrote: > Question? > > Without getting into incompetence, impersonation, > man-in-the-middle, drugs and pipe wrenches ... > > I have a friend in another state who I want to give ssh access > to on one of my machines. If I understand ssh key exchange, > > 1) he makes a private/public key pair for openssh >1a) using a recent Linux, of course > 2) he sends me the public key over the unencrypted internet > 3) I put it in the .ssh/authorized_keys2 in his user directory > > ... and we are probably good to go, yes? Not perfect security, > but enough, I hope, to irritate a typical national spy agency. > > If necessary, we can escalate the complexity of the transfer, > (key encoded in carrier pigeon DNA - sequence DNA, eat bird) > but complication is insecure in its own way. That's how it works. You need to get the permissions correct on file in ~/.ssh or it will refuse to work. -- Michael Rasmussen, Portland Oregon Be Appropriate && Follow Your Curiosity Education isn't filling a pail but lighting a fire. ~ WB Yates ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] ssh public/private key login authentication?
most recent distributions of ssh just use 'authorized_keys'. It wouldn't hurt having both, but then you won't know which is required :-). I guess, 'man ssh' will tell you there right answer. But who reads docs. (Ubuntu 14.4 no longer mentions authorized_keys2) Dont forget permissions for the .ssh directory (700) steve Keith Lofstrom wrote: > Question? > > Without getting into incompetence, impersonation, > man-in-the-middle, drugs and pipe wrenches ... > > I have a friend in another state who I want to give ssh access > to on one of my machines. If I understand ssh key exchange, > > 1) he makes a private/public key pair for openssh > 1a) using a recent Linux, of course > 2) he sends me the public key over the unencrypted internet > 3) I put it in the .ssh/authorized_keys2 in his user directory > > ... and we are probably good to go, yes? Not perfect security, > but enough, I hope, to irritate a typical national spy agency. > > If necessary, we can escalate the complexity of the transfer, > (key encoded in carrier pigeon DNA - sequence DNA, eat bird) > but complication is insecure in its own way. > > Keith > ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
[PLUG] ssh public/private key login authentication?
Question? Without getting into incompetence, impersonation, man-in-the-middle, drugs and pipe wrenches ... I have a friend in another state who I want to give ssh access to on one of my machines. If I understand ssh key exchange, 1) he makes a private/public key pair for openssh 1a) using a recent Linux, of course 2) he sends me the public key over the unencrypted internet 3) I put it in the .ssh/authorized_keys2 in his user directory ... and we are probably good to go, yes? Not perfect security, but enough, I hope, to irritate a typical national spy agency. If necessary, we can escalate the complexity of the transfer, (key encoded in carrier pigeon DNA - sequence DNA, eat bird) but complication is insecure in its own way. Keith -- Keith Lofstrom kei...@keithl.com ___ PLUG mailing list PLUG@lists.pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug