Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you have the ssh server running on the RH7.2 machine, it generated the keys the first time you booted it. To log into it from one of the clients, assuming the others are *Nix machines and have the client on them:
ssh username@192.168.0.1 (this is assuming that the ssh machine doesn't have a real domain name... sub in whatever IP you gave it. If you give the machine an entry in /etc/hosts, you can use that instead.)
If the clients are winboxen, and you don't have an ssh client, plug "putty" into google and take the first hit.
[jwp@space jwp]$ ssh root@192.168.168.251
The authenticity of host '192.168.168.251 (192.168.168.251)' can't be established.
RSA key fingerprint is fa:69:cd:82:7d:93:c6:56:4d:b9:fc:9d:8a:e6:05:eb.
Are you sure you want to continue connecting (yes/no)?
Yes, that's the key exchange, it'll be stored in a file called .ssh/known_hosts or known_hosts2 and compared every time you make the connection. Therefore if the key every changes suddenly, you would know that you are not actually connecting to the machine you want to.
That would make more sense if you image that the ssh server is a machine out there in the world.
SSH checks user name and password. so if you don't have a password on a certain account, and someone tries to connect on that account, yes of course they can log in. Otherwise you are secure. The reason for SSH is that it encrypts data being sent, so that no one can read it. Telnet, as i understand it, was the precursor to this sort of thing, and it sent passwords as plain text so that just about anyone could get the passwords, which was unfortunate. SSH is not vulnerable to this.
Essentially, now you are as secure as your system's passwords and accounts are. don't have dictionary passwords (normal words like car and sandwich, use snDwch8X as it is harder to guess), and change them every so often, and you will be fine.
The keys are more for the client's protection; if they don't match, the client will refuse to finish the connection. For instance, if someone hijacks the domain you're ssh'ing into, but doesn't have the key... you get a warning about that and the ssh client spams your screen about a "man in the middle attack". Also once you have that key on your side, no information travelling between the client and the server is ever un-encrypted. That's really the whole point. Of course anyone can ssh to your machine willy-nilly, but without a password what can they do?
So, in this case, I am relying on the strength of my server's user accounts and passwords.
But, I don't want to allow anyone from the Internet even the ability to reach a login prompt on my server.
The last time I did ssh, I had to copy the server's public key to each client that I wanted to grant access to. And for all the clients that I didn't copy the public key to, they simply could not even reach a login prompt.
A better way may be to bind the ssh server to your Class C 192 address, so unless you are port forwarding 22 somewhere from the NAT box (which I highly doubt), then 22 is never exposed to the outside world. In RedHat the init script is probably (I run Slack mostly), /etc/init.d/sshd and should bind by default to 0.0.0.0 or 127.0.0.1.
Locate a file called sshd_config, probably in /etc/sshd. Its read every time the daemon starts. One of the first lines in it is ListenAddress, and by default its commented out. Try binding it to the class C. and then try to ssh into the machine from the outside world through its public IP. Also, if you don't know about this toy already, you may want to try nmap to check your network to see if its running anything its shouldn't be.
Sorry, I didn't have access to a Linux box yesterday to poke around.
Well actually the broadcast address for my network is 192.168.168.255.
192.168.168.0 is the network, since the netmask is 255.255.255.0.
But if I put in 192.168.168.251 into the sshd config file, how does it know what network I am on? For example, my netmask could be anything like 255.255.255.192. It seems to be assuming that my netmask is 255.255.255.0 (correctly in this case).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.