l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2001 Dec 30 17:08

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] SSH Server.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] SSH Server.



On 11 Aug 2001, Brad Benedict wrote:
> I want to set up an SSH server, but I'm having problems with the RSA
> keys.  I've been reading the man page, but I'm not really getting it.  I
> don't know if I already have, them, or if I need to get them...I don't
> even know what they are.  Can somebody tell me what's going on, and how
> to get an SSH server giong?

I thing that the ssh1 servers from openssh and ssh.com both generate their
random numbers (do the p and q thing) when you make and install them from
source. From a package, I would expect them to also do this, but do not
recall for certain seeing it take place.

If you are looking to generate a key for the "rlogin style" of logging
into a server, then there is often a program like ssh-keygen (has its own
man page) that you can use to generate keys and store on a client machine
and on the server. I do not like this because it makes it easier for a
comprimised machine to be used to comprimised other machines where trust
is shared.

ssh1 has had a few exploits posted against it - mostly against the initial
key exchange when connecting to a new host. They now suggest users of ssh1
make their initial key exchanged via sneakernet or through other
"secure" means.

One way I have used is to keep a copy of my ~/,ssh/known_hosts available
in some fashion and move it to the new machine in some secure way. If you
need to add a new entry to ~/.ssh/known_hosts you can use several means.
One that I have used is to copy my known_hosts file to the server in
question, and then ssh to the servername's FQDN which will then do the
key-exchange locally (never touching the net) making a man in the middle
attack 9as well as others) a bit tricky. Once the key exchage takes place,
I can take the newly appended known_hosts to other servers, or even copy
with scp since no key exchange is needed. :-)

Your cryptography experts migt be able to better explain the technical
risks with the initial key exchange as well as man-in-the middle
attacks. I believe my associate could better expain some of this, but he
is rather busy.

(Tell 'em brotha Dugan!) Yes, on a soapbox and got my robes no here :-o

One last thing to point out, as many people new to ssh dont realize:
"SSH is for creating a 'secure' connection over an insecuure network. It
is NOT secure on insecure machines or for securing insecure machines!"

So, if you go to a library, ISP, friend's house, or Moscone Center for
MacWorld and use a Java based ssh client to connect to your server or a
client you install on their machine, you could be opening up your server
for a break-in. A keyboard sniffer, or trojaned OS at the site you are
using could grab your password as your type it on the keyboard! SSH is
good for working between machines that you trust, and "own" not so good
with machines you do not own. Security model is just blown out of the
water because it does not seek to solve the problem of machine the client
machine secure. (Not its problem to solve, never was.)

OK! Who stole my soapbox? If you wanted me to stop yacking, you could have
just told me! :-)

-ME

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ 
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ !PGP
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
     Systems Department Operating Systems Analyst for the SSU Library


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.