Mailinglist Archive: opensuse (1570 mails)

< Previous Next >
Re: [opensuse] Coordinated, distributed ssh attacks?
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Mon, 05 Oct 2009 08:50:55 +0200
  • Message-id: <hac50f$b4k$1@xxxxxxxxxxxxxxxx>
David C. Rankin wrote:

On Sunday 04 October 2009 03:52:59 am Per Jessen wrote:
I'm still considering moving to the no-password-login setup as Hans
Witvliet suggested. It's clearly the optimal solution, I'm just a
little concerned about the management when each server needs to
"know" about (need to have the key) each possible client.

/Per


Per,

That's the best part about it. On each host, just do

cd ~/.ssh
ssh-keygen -t dsa
cp id_dsa id_dsa.hostname
cp id_dsa.pub id_dsa.pub.hostname

do the same thing for root but append an r to the end of the names
(id_dsa.pub.hostnamer).

Hi David

thanks, I'll have to take a closer look now. I do understand the
process, I've got a couple of dedicated users operating only with
challenge-response (for automated tasks).
I guess the main reason I'm a little concerned is that seen from an ssh
pov, I've got 13 external servers/client and 10-12 local
clients/servers. Times 4 users who at times will need the access.
Yes, local workstations have a shared /home, but production systems
don't nor do the external systems.

Hmm, I've just been reading a bit about ssh agent forwarding - that
might just solve part of my issue. I was thinking of the following
scenario: user-1 on client-1 connects server-1. Does some stuff, then
needs to rsync something from server-2 or client-4 - as long as
user-1@client-1 is allowed access to server-2 or client-4, will it
still work (via this ssh agent forwarding setup)?


/Per

--
Per Jessen, Zürich (9.6°C)

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups