LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-11-2009, 11:17 AM   #16
pwc101
Senior Member
 
Registered: Oct 2005
Location: UK
Distribution: Slackware
Posts: 1,847

Rep: Reputation: 128Reputation: 128

Quote:
Originally Posted by qwertyjjj View Post
I created a user testuser with password
then added AllowUsers testuser in the config file
However, whenever I login with this user it says access denied after the password.

?
You can try sshing in with maximum verbosity turned on to see why it fails:
Code:
ssh -vvv user@host -p 1234
 
Old 08-11-2009, 11:32 AM   #17
nuwen52
Member
 
Registered: Feb 2009
Distribution: Debian, CentOS 5, Gentoo, FreeBSD, Fedora, Mint, Slackware64
Posts: 208

Rep: Reputation: 46
A difference between a key and a password is that the user never gets a login/password prompt. The key is stored in a file which the ssh client knows where to get it. The key itself is a VERY long string of characters (a couple hundred I think). I think you can do preshared keys even if the client is DHCP, but someone else might know better about that.

On the point of locking out root login. On a Linux machine, root is the only user that is pretty much certain to exist. So, if root isn't available to a hacker, they have to guess both login and password.

(personal opinion follows)
All of it comes down to is which things you find useful in securing the system. Locking out root and alternate ports are the ones I find most useful.
 
Old 08-11-2009, 11:49 AM   #18
centosboy
Senior Member
 
Registered: May 2009
Location: london
Distribution: centos5
Posts: 1,137

Rep: Reputation: 116Reputation: 116
me too.
i use a jumpbox. ssh requests can ONLY come from this box. you get to this box using RSA keyfob, so no password guessing here

from the jumpbox, ssh to any servers
no root logins allowed.
sudo access
preshared dsa keys
 
Old 08-11-2009, 11:51 AM   #19
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
I disable root login, use passwordless login and use the allowusers directive to limit users.

Passwordless login uses a keypair. One key (the public key if I'm not mistaken) resides on the server; the other one (the private key) is on the the client machine(s) or you can carry it around on a memory stick. The private key is protected with a passphrase. An attacker needs both the private key and the passphrase to be able to get in.

PS I'm not that convinced of moving the port. A port scan will still reveal it as an open port. But that is my opinion and I might miss something.

Last edited by Wim Sturkenboom; 08-11-2009 at 11:55 AM. Reason: Added PS
 
Old 08-11-2009, 02:10 PM   #20
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Quote:
Originally Posted by Wim Sturkenboom
PS I'm not that convinced of moving the port. A port scan will still reveal it as an open port. But that is my opinion and I might miss something.
point blank. but to be honest i never had any problems after moving the port. I guess it's them script kidies that do most of the probing. So moving the port is jut 90% safe. The skilled ones do it the other way anyways. Beside snort most of the time catches those port scans.

To be fool proof. Try something like portknocking to open up the SSH port.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Starting sshd: /etc/init.d/sshd: line 113: /usr/sbin/sshd: Permission denied sumanc Linux - Server 5 03-28-2008 05:59 AM
HowTo sshd deny all users except for one? mattengland Linux - Security 28 11-04-2007 03:53 PM
default system users (like sshd , nobody, etc) supradrvr Slackware 2 12-22-2006 09:28 AM
SSHD - keeping users in their own directory whitetiger0990 Linux - Software 3 01-02-2005 06:50 PM
sshd blocks users from other machines TommyB Linux - Networking 3 05-18-2004 02:19 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration