[TCLUG] Securing SSH/SCP

Tue Jun 11 08:44:41 CDT 2002

On Wed, 2002-05-22 at 20:50, Shawn Fertch wrote:
>   I'm running OpenSSH 2.9p1, and would like to figure out a way to do the
> following:
> 
> 1)  Prevent root from logging in directly from an SSH connection.

This is set up in sshd_config (usually found in /etc or /etc/ssh).  Make
sure you have a line in there like

  PermitRootLogin No

> 2)  I want to run cronjobs that do scp copies to backup remote files on
> other servers.  However, I'm not sure how to do this.  Whenever I run
> scp, I get prompted for a password.  I'm assuming that by default, my
> scripts will run into this issue as well.

You want to use the `ssh-keygen' program to generate a public/private
keypair.  By default, the program generates RSA1 keys and puts them in
$HOME/.ssh/identity and $HOME/.ssh/identity.pub (the public key).  You
can add the contents of identity.pub to the $HOME/.ssh/authorized_keys
file on the remote host.  However, all that is generally for SSH
protocol version 1, which is considered unsafe.

It's probably preferable to generate keys used by SSHv2.  It uses RSA
and DSA keys.  You can tell ssh-keygen to generate those keys by passing
the parameter `-t rsa' or `-t dsa'.  RSA creates id_rsa and id_rsa.pub,
and DSA creates id_dsa and id_dsa.pub.  Copy the contents of the .pub
files to $HOME/.ssh/authorized_keys2 on the remote host.

There's probably a safer way to do it, but for now, don't put passwords
on the identity files.  Otherwise, you'll basically have the same
problem all over again.

When you have your script run, use `ssh-agent' to run it like

  ssh-agent <scriptname>

In your script, make sure that you run `ssh-add $HOME/.ssh/<filename>'
to add the private keys.  Whenever the ssh client attempts to connect,
it will try to authenticate with those keys, and will only prompt for a
password if that fails.

-- 
 _  _  _  _ _  ___    _ _  _  ___ _ _  __   I came, I saw, I did a
/ \/ \(_)| ' // ._\  / - \(_)/ ./| ' /(__   little shopping.
\_||_/|_||_|_\\___/  \_-_/|_|\__\|_|_\ __)  
[ Mike Hicks | http://umn.edu/~hick0088/ | mailto:hick0088 at tc.umn.edu ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020611/5234b90e/attachment.pgp