[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile

From: Michał Masłowski
Subject: Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile
Date: Tue, 27 Mar 2012 21:19:53 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (gnu/linux)

> But it outputs the fingerprint of the server's HostKey (which is
> located at /etc/ssh/ssh_host_rsa_key), not the AuthorizedKeysFile
> fingerprint.

Imagine there is a Mallory who can read, change or drop any packet going
out of your machine or in.  He can get all packets you sent to the
server running ssh, drop them and send forged reply packets.  You
connect to Mallory's machine as if it was the server you wanted to
connect to.  Then Mallory decrypts all packets and sends them to the
server, encrypts the replies and sends it back to you.  It's called a
man in the middle attack.  You need a way to detect this.

The server knows the private part of the host key and tells you the
public part.  Somehow ssh can verify that the server has the private
part for this key.  It saves they key in ~/.ssh/known_hosts, so it will
know next time if a different key is used (suggesting a man in the
middle attack being done during one of the connections, or the server
changing keys).  If you know what the key is, you can check if the
fingerprint shown on first connection is correct.

Keys in ~/.ssh/authorized_keys have a different use: they show to the
server that you know their private part, so the server should trust you
as the user who has this key listed in ~/.ssh/authorized_keys.

> What else should be done to restrict unauthorized access?

Disable any authentication not using the authorized keys.

> This guide [1] recommends to change ListenAddress to and
> Port to 666. (I want to use another port (and another address). Does
> it matter? 666 is used by Doom. [2])

It's ok if you don't use Doom or other services on port 666 and your
firewall/ISP doesn't prevent you from connecting to it.  For correctly
configured sshd, changing port should just lower the amount of login
attempts by bots, it's practically impossible for them to succeed when
only public key authentication is enabled (and they don't know your
private key and you haven't used a bad random number generator to make
the key pair).

> I'm new to networking. Could you explain what does "Port" and "Listen"
> mean in this case?

Your server probably has multiple IP addresses used for its services: for ones available only from the same machine (it's useful
since programs don't need changes to support it, unlike Unix domain
sockets which have friendlier addresses) and one available from other
machines (or more).  sshd listens on by default which means that
a connection to any IP address handled by the server on specific port
goes to ssh.  I wouldn't use a different address for sshd to listen on,
since I connect to my machines via ssh from other networks so I couldn't
restrict it usefully in such a way.

Ports are used to have multiple services accepting connections via TCP
on a single IP address.  The connection is done to a specific IP address
and port number.  (Ports from the same set are used on the other side of
the connection and other sets of ports are used for different protocols
like UDP, although this wouldn't normally affect sshd configuration.)

> How to use SSH with a non-standard port? Will it be something like
> this: ssh -i ~/.ssh/id_rsa <server's ip>:<new port number>?
> Is there a need for a username@ prefix before the server's ip (I
> changed PermitRootLogin to no)?

I have this fragment in ~/.ssh/config:

Host parabola
     Port 1863
     User repo
     IdentityFile ~/.ssh/id_rsa

If I don't specify the username@ prefix when connecting to parabola, it
will connect as user "repo" (by default the local user name is used).

Attachment: pgpScDSCywT_M.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]