LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-01-2007, 12:23 AM   #1
GeorgeMoney
LQ Newbie
 
Registered: Mar 2007
Distribution: Kubuntu edgy-eft
Posts: 3

Rep: Reputation: 0
SSH login alias


Is it possible to create a login alias in openssh?

What I mean is:
When I login to my home box locally (ie physically from the machine) I don't need a really secure username and pass. Everyone who has physical access to my computer knows my username and, well, they wouldn't have the time or the tools to crack my pass.

But what if I want to login remotely with ssh? Now a simple username and simple pass won't do. The script kiddies would catch on immeditely.

So I want to be able to login with 'foo/foopass' locally, but when accessing my computer remotely, do NOT allow foo/foopass; instead, have something like b4R/b4Rp4$$!! and only allow that. And I don't mean just creating a new account named b4R, but make an alias so that b4R == foo, but only when logging in remotely.

And keys are not an option, they confuse me and I can't figure out how to get them to work in portable filezilla.

I'm sure this can be done in some PAM module but I am still very new to this so someone, please bear with me
 
Old 04-01-2007, 03:35 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Interesting question - you can obviously login *from* a user account that doesn't match your server account, but I don't know whether OpenSSH can remap account names at the server.

I have to say that this won't increase or decrease your security, though. In practice, an Internet-connected computer with port 22 (SSH) open will be picked up by automated scanners within a few days. These try password guessing against common usernames ("root", "admin", etc.). You can stop them with any uncommon username, or by running SSH on a different port - they are sweeping thousands of addresses to find the one or two that are easy to crack.

If someone knows an account name and really wants to get into your system then they can run password crackers against the account until they eventually get the password, or you block their address (install DenyHosts or fail2ban to automatically block persistent login attempts). The main defense against password-guessing is key-based authentication.

Key-based authentication is well worth doing - not only does it stop password attack, but it also makes using SSH a very smooth experience, since connections don't stop to prompt you for a username and password.
 
Old 04-11-2007, 10:27 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by hob

If someone knows an account name and really wants to get into your system then they can run password crackers against the account until they eventually get the password, or you block their address (install DenyHosts or fail2ban to automatically block persistent login attempts). The main defense against password-guessing is key-based authentication.

Key-based authentication is well worth doing - not only does it stop password attack, but it also makes using SSH a very smooth experience, since connections don't stop to prompt you for a username and password.

If key-based authentication is implemented properly, you'll still be prompted for a passphrase. The passphrase will be for the key itself. Authenticating with the key can be made transparent by using ssh-agent, which holds private keys used for public key authentication. The agent will ask for the passphrase when adding the key to the agent, but once that is done, there is no longer a need to continue to authenticate, as the agent functions as a repository for the key and passphrase.

IMO, using private keys without establishing a passphrase is a very bad practice. The implications aren't so bad if the key is isolated and the opportunity for theft of the key is minimal, but if you're keeping a private key that has no passphrase on, for instance, a USB fob, and that fob gets lost, stolen, or is out of your sight for extended amounts of time (maybe on your desk while at lunch or a similar scenario), trust has been lost.

I know of many people using keys but not establishing passphrases on those keys. I've also seen this in enterprise environments, where one unprotected key is being utilized with hundreds of machines. Admins typically (in my experience) tend to follow the path of least resistance and, in this case, this is definitely bad.
 
Old 04-11-2007, 01:37 PM   #4
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Quote:
Originally Posted by unixfool
If key-based authentication is implemented properly, you'll still be prompted for a passphrase. The passphrase will be for the key itself. Authenticating with the key can be made transparent by using ssh-agent, which holds private keys used for public key authentication. The agent will ask for the passphrase when adding the key to the agent, but once that is done, there is no longer a need to continue to authenticate, as the agent functions as a repository for the key and passphrase.
<SNIP>
That's a good clarification.

Having to enter passphrases once after logging in doesn't break my flow at all, whilst login boxes popping up for each connection are a noticable distraction. It's very pleasant not to have that happen, so I'm a big fan of key-based authentication.
 
  


Reply

Tags
ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
In SSH, how to replace a full domain name with an alias zbinwu Linux - Newbie 7 04-23-2012 07:14 AM
adding IP alias to eth0 via SSH? natv Linux - Networking 4 02-21-2007 04:02 PM
ssh problem after creating an ssh alias. porotothorpe Linux - General 2 01-25-2006 07:56 PM
bash login sourcing .alias ned737 Suse/Novell 2 11-17-2005 02:03 AM


All times are GMT -5. The time now is 08:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration