Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
SPAM: Re: [suse-security] Openssh + security
  • From: Jaime Santos <jesantos@xxxxxxxxxxxxxxxxxxxx>
  • Date: Mon, 12 Dec 2005 00:18:09 +0100
  • Message-id: <439CB3B1.40805@xxxxxxxxxxxxxxxxxxxx>
Hi,

You can use RSA challenge-response authentication, and the machine you
are connecting to will only accept connections if you
have a private key (which you protect through a passphrase), provided
you disabled simple password login in it (in the
file sshd_config, see below). An attacker would need first to obtain a
copy of your private key and then would have to guess
the passphrase (note that, if he does obtain the private key, he can
launch a dictionary attack in the privacy of his room, so
the passphrase should be a very strong one).

The inconvenient is that you can only login from machines where this key
is saved (under your directory ~/.ssh) or you
have to otherwise carry such a private key with you on a diskette or USB
stick. In order to generate such a key, you can use
the ssh-keygen command. But, hey, security never rimes with conveniency
:-) ...

You should also disable root login via ssh, under all circunstances. And
only use the SSH2 protocol, SSH1 has known weaknesses
(someone else has just referred these two options as well).

The file to tweak is /etc/ssh/sshd_config. The list is sort of
self-explanatory. If you need further help, check the man pages
for ssh, ssh-keygen, ssh-agent and ssh-add. If this does not help, drop
me a note, I have a little bit of experience with the
use of ssh. Note that there is a wonderfull reference, from O'Reilly, on
SSH, 'SSH, the secure shell - The definitive guide', by
Barrett and Silvermann. It is really a definitive guide, I learned
practically everything from there.

As far as I know, the version OpenSSH_4.1p1, which shipped with 10.0,
has no known security bugs, but I could be wrong. In any
case, there are no patches to it from SuSE. Check the openssh website
for more information.

Hope this helps. Best, Jaime.


< Previous Next >
This Thread
  • No further messages