LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-08-2013, 07:12 AM   #1
Mad-Halfling
LQ Newbie
 
Registered: Apr 2012
Posts: 22

Rep: Reputation: Disabled
Any Reason Why Public Key Authentication Couldn't Be Enabled?


We're setting up with a hosting company, and I suspect they are a small local company (our design company are engaging them to host the site they are writing for us) so while it's nice to support our local economy I think (to be diplomatic about it) they maybe can't afford the calibre of sysadmins they ideally should have.

We're asking for SSH access to our area in the server (we currently seem to be on a shared hosting plan - don't even go there - but we may be moving to a dedicated server) and have this via password authentication, but as I'm wanting to do some automated uploads I wanted to set up public key authentication. After much um-ing and ah-ing with their tech support it turns out that there's "only password authentication allowed, and they don't have any timescales on enabling it". Now, as far as I was aware this should be quite a simple modification to the ssh daemon's config file, so it shouldn't be difficult? Are there any technical reasons why this couldn't be enabled? Not sure what server, exactly, they're using (they don't want people poking around too much), but it's Kernel version 2.6.32-279.19.1.el6.x86_64 and it looks like they're using OpenSSH_5.3.

Thanks - MH
 
Old 01-08-2013, 08:34 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by Mad-Halfling View Post
I wanted to set up public key authentication.
Good choice.


Quote:
Originally Posted by Mad-Halfling View Post
After much um-ing and ah-ing with their tech support it turns out that there's "only password authentication allowed, and they don't have any timescales on enabling it". Now, as far as I was aware this should be quite a simple modification to the ssh daemon's config file, so it shouldn't be difficult?
Even more if you look at a stock /etc/ssh/sshd_config or read 'man sshd_config' you'll find PubkeyAuthentication=yes is the default. (Unfortunately so is PasswordAuthentication so you'll be asked for the pass if pubkey auth fails.)


Quote:
Originally Posted by Mad-Halfling View Post
Are there any technical reasons why this couldn't be enabled?
Given the situation I'd suggest you just generate keys, configure pubkey auth and see if it works without using "support".
 
Old 01-08-2013, 08:36 AM   #3
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,451

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
You probably want to use dedicated hosting, from them or from someone else. If you're simply wanting to exchange information, consider a Dropbox or Google Docs. And if what you ultimately want is a web-site, look at places like "weebly.com."
 
Old 01-08-2013, 11:43 AM   #4
Mad-Halfling
LQ Newbie
 
Registered: Apr 2012
Posts: 22

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Given the situation I'd suggest you just generate keys, configure pubkey auth and see if it works without using "support".
Way ahead of you - already tried it and found it isn't working (as you said, I was sure it was configured, by default). Unfortunately I have no admin rights on the server and in the T&Cs are "if you attempt to look outside your home directory, your account will be suspended" so I can't even try to check the SSH server config. I queried this with them, via our design company (that's my only communication method, at the moment) and was told it wasn't enabled - hence my question regarding whether there is a technical reason why it wouldn't/couldn't be enabled.
I'm somewhat dubious as to the hosting company's technical abilities, and this (unless there's some issue of which I am unaware) compounds this suspicion. They also mentioned, in their SSH T&C that it's more secure to not have it enabled and to use their web interface - well, technically one less point of entry _is_ more secure, if you're not using it, but their servers should, surely, be properly hardened against brute force attacks, and the like, so it shouldn't, really, be an issue?

I'm not directly involved with the project, I'm just responsible for getting records from our DB into the DB on the server, so I only have a limited say on who and which service we use. It needs to run from a script that's called from a data changing event, on the web server (again, not ideal from my point of view) so I'm currently working on using Cygwin to SCP the data over, then remotely run a script on the SSH connection to import the data into the database. I'm figuring that's the best way to get the data over, as the data is being updated on a Windows web server, so I have to get creative to get the data imported - unless there's a better way for Windows to interact with a remote Linux server, on which I only have user-level credentials. It's not insurmountable as I am testing using "expect" to get over the password input, but this is obviously far from ideal.

Last edited by Mad-Halfling; 01-08-2013 at 11:46 AM.
 
Old 01-08-2013, 12:26 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,665
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Quote:
Originally Posted by Mad-Halfling View Post
Way ahead of you
No way you are. You just forgot to mention it in your OP.


Quote:
Originally Posted by Mad-Halfling View Post
whether there is a technical reason why it wouldn't/couldn't be enabled.
Can't think of any.


Quote:
Originally Posted by Mad-Halfling View Post
I'm somewhat dubious as to the hosting company's technical abilities
That's an understatement.


Quote:
Originally Posted by Mad-Halfling View Post
They also mentioned, in their SSH T&C that it's more secure to not have it enabled
Pubkey auth is a security best practice. Any SSH tutorial worth something should point that out. So let's classify their stance as what it is: sheer unadulterated male bovine excrement.


Quote:
Originally Posted by Mad-Halfling View Post
their servers should, surely, be properly hardened against brute force attacks
From what you posted your provider doesn't exactly have the "we're taking care of business" kind of vibe. Pubkey auth never should be an issue.


Quote:
Originally Posted by Mad-Halfling View Post
unless there's a better way for Windows to interact with a remote Linux server, on which I only have user-level credentials.
That should be a separate thread, preferably in a forum like Newbie, Server or Linux General.
 
Old 01-08-2013, 12:46 PM   #6
Mad-Halfling
LQ Newbie
 
Registered: Apr 2012
Posts: 22

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
No way you are. You just forgot to mention it in your OP.
Sorry, thought I had, hehe - typing in a bit of a hurry



Quote:
Originally Posted by unSpawn View Post
Can't think of any.
Glad there wasn't anything obvious I was missing


Quote:
Originally Posted by unSpawn View Post
That's an understatement.
I suspect my server at home is more secure than theirs.....
Personally, if I was adminning their server and was concerned about SSH access I'd disable password authentication, enable public key authentication and say "if you want SSH access in, send us your public and and we'll install it, if you don't know how to do that then you shouldn't be using SSH" (a bit BOFH, but it maintains security).


Quote:
Originally Posted by unSpawn View Post
Pubkey auth is a security best practice. Any SSH tutorial worth something should point that out. So let's classify their stance as what it is: sheer unadulterated male bovine excrement.

From what you posted your provider doesn't exactly have the "we're taking care of business" kind of vibe. Pubkey auth never should be an issue.
as you can probably see, I'm 100% with you on this.

Quote:
Originally Posted by unSpawn View Post
That should be a separate thread, preferably in a forum like Newbie, Server or Linux General.
Yes, sorry, was going to do that later, just thought I would pop it in, in case there was a quick alternative - but yes, I'm a bad boy for encouraging thread-diversion =8)
 
  


Reply

Tags
ssh public key


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help with public key authentication rookie7799 Linux - Security 8 05-26-2012 01:41 AM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 09:33 AM
Public key not an available authentication method davincey Linux - Server 6 03-08-2011 04:49 AM
SSHD and Public Key Authentication danthehat Linux - Software 1 05-01-2007 12:23 PM
Public Key Authentication with SSH edafe Ubuntu 1 08-26-2006 12:06 PM


All times are GMT -5. The time now is 03:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration