Comments on: Setup the SSH server to use keys for authentication

By: GNot

GNot — Sat, 24 Feb 2007 02:29:01 +0000

This is indeed very convenient functionality, which I have overlooked. I’ll look into it more thoroughly and update the guide as required. Thanks for your feedback.

By: katalin

katalin — Fri, 23 Feb 2007 18:17:22 +0000

just a suggestion as I see you’ve mentioned in the article “Take a note of the fingerprint.” you might want to expand the article to include the support of dns servers (bind) for SSHFP record which allows you to add the fingerprint in DNS and ssh can check for this before connecting to a machine. relevant pages man ssh-keygen search for SSHFP.

By: Gnot

Gnot — Fri, 05 May 2006 11:43:19 +0000

Thanks Kanenas! :-) You also do a very good job over at kanenas.net providing very useful tips.

By: kanenas.net

kanenas.net — Thu, 04 May 2006 22:43:45 +0000

Bravo !!! Polu kali douleia…

By: Gnot

Gnot — Wed, 26 Apr 2006 18:01:50 +0000

Hi, Nick. Thanks for your comment.
Yes, as long as you have your private key (for example id_dsa.pub) with you, you can connect to the SSH server from any client machine or user account you like.

By: Nick

Nick — Wed, 26 Apr 2006 15:57:44 +0000

Great article, this had me up and going in a few minutes.

However, I have one question.

Can I take the keypair generated on clientone (my primary) and use it from different clients?

What I would like to do is copy my keys to a usb drive and be able to connect to my server from any workstation, not just my primary one.

Thanks again for your awesome article!

By: Richard K Miller

Richard K Miller — Thu, 08 Dec 2005 00:49:50 +0000

Awesome article! I’ve referred back to it several times.

By: Gnot

Gnot — Fri, 18 Nov 2005 23:28:02 +0000

This is exactly what I was looking for. Trevor, thanks a lot for this one! Absolutely a "must-read" article.

By: Trevor

Trevor — Fri, 18 Nov 2005 21:16:28 +0000

Raoul:

Below is a great article on portknocking for SSH.
Since I implemented this, I have completely eliminated all SSH brute force attacks.
I log connection attempts on port 22.
If I want to allow people access to my webserver, ftp, or ssh, I just have to tell them to first go to:
http://myip:{secretport#}
It will fail, but after that, their IP is free to hit said service.
This is for my home box so I only turn on ftp or web service as necessary.

http://www.dotancohen.com/howto/portknocking.php

By: Gnot

Gnot — Thu, 17 Nov 2005 04:48:42 +0000

Thanks for the comments. Tdot: There is excellent info in your article. I guess all should read it as brute force attacks on the SSH servers is a constant issue. Using keys makes it extremely difficult for someone to break into the system, but, on the other hand, all this traffic from scripts/bots trying to connect is annoying and it makes log files grow big. This is a good read! I also have in mind to search for some info about configuring iptables in a such way that someone would need to ping some ports in a certain order before the SSH port opens, but I didn't have the time to do so. efutch: Hmm, I guess you are right. The meaning is not 100% clear. The proper phrase would be allow only a specific group of users to connect instead of authenticate. I'll edit it as soon as possible. Thanks.