Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
SSH access for "strange" machines.
I am currently running SSH on a Raspberry Pi which is always on. I do this so that, if I want, I can boot my desktop machine (with WoL) and access files, etc., when I'm elsewhere with my laptop and retrieve files and the like, I can also log in on my Blackberry, which is nice. That bit is all good -- I run SSH on a non-standard port to keep the script kiddies out of my log files and I use public key to, hopefully, further avoid the brute-forcers.
Where it falls down is twofold:
1) I currently allow password login on my desktop machine (NAT'd so SSH not exposed to the internet) even though I have a valid key on my laptop because I don't want to put my key on the Pi in case, for some reason, the pi becomes compromised. I know that with only SSH exposed to the internet (it has MPD and HTTP exposed internally) and using WPA2 with a fairly strong password that's not too much of a risk, but it still worries me a little. Would there be a way to use keys on my desktop but be more secure? Is that what the password option for SSH keys is for?
2) I cannot log into the Pi form unknown machines, however. I could, on Linux hosts, use my encrypted USB stick with a backup of my data to add the relevant key on a friend's machine (people I trust with my life) however if they're running Windows (or perhaps even MAC) then I can't access LUKS encrypted USB stick. I could, of course, carry my key unencrypted but that seems silly given that my backup is encrypted and, while it is a remote possibility that anyone stealing my wallet (where I keep my backup) is stored would work out what the key is and use it it still feels wrong.
So, does anybody have any comments or suggestions which could make things as little clearer and more logical for me?
Also, I have installed Fail2Ban but am beginning to doubt that it does anything in its default configuration -- ought I to look into changing it's configuration?
Pi runs Raspbian and desktop runs Sid. Laptop runs Windows 8.1 with puTTY and may dual boot with Sid also.
Yes, you should be protecting your ssh keys with a password/phrase. Also, if you use ssh-agent, you can ssh -a to your PI, and then ssh to your desktop by forwarding your ssh agent. Then, no key is needed on the PI.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Original Poster
Rep:
Quote:
Originally Posted by kfritz
Yes, you should be protecting your ssh keys with a password/phrase. Also, if you use ssh-agent, you can ssh -a to your PI, and then ssh to your desktop by forwarding your ssh agent. Then, no key is needed on the PI.
Thanks, I'll do some reading up on SSH-agent is sounds like it could be useful to me.
After reading your post I'm still very unclear on what you have setup or what your goal is...
It's looks like you want to know how to login to your rpi via ssh from various computers but don't want to do it with the key as it would require unlocking a usb drive?
Not sure what you mean by "put your key on the rpi"
There's not much risk of copying your public key to the rpi to permit easy access. Public keys are meant to be copied to servers so it knows how to encrypt the symmetric key that the session will use.
You can permit password access to your rpi, but understand the inherent security risks behind that. Make sure root login is disabled and the user permitted to login to the rpi has very limited permissions & test your fail2ban config by attempting multiple bad entries & seeing if it bans you. Of course, make it a strong password.
You can ensure only one user (such as bob) is permitted to connect from a external network by adding this in your rpi's /etc/ssh/sshd_config. I presume your lan starts with 192.168.1.
AllowUsers *@192.168.1.*,bob
See this post for more info on conditional statements
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Original Poster
Rep:
Sorry, I know I rambled.
Briefly, the issue with logging on with other machines is that if I'm using a windows machine I have no access to any private key so can't use the usual SSH method to lo on and would have to resort to password which seems far too insecure.
The issue with the RPi is that if I keep a key on that which allows access to my desktop then anybody who compromises the RPi gets to wake the desktop and do that they like to it under my standard user account -- which is not acceptable.
if I'm using a windows machine I have no access to any private key so can't use the usual SSH method to log on and would have to resort to password which seems far too insecure.
The issue with the RPi is that if I keep a key on that which allows access to my desktop then anybody who compromises the RPi gets to wake the desktop and do that they like to it under my standard user account -- which is not acceptable.
How much of a variety of computers are you accessing? Are we talking possibly any computer, or a small group?
Reason I am asking is if you document the ips you will be connecting from (ips of friends you trust your life would be a good start) you can use that to restrict password entry to just those computers.
you can do a search (or ask your friends to) like this https://duckduckgo.com/?t=lm&q=what+...ress&ia=answer
or in terminal -> curl myexternalip.com/raw
to get the external ip address
For example, if your friends computers are located at 423.36.214.6, 323.456.35.6, 732.646.88.32 and you want user 273 to login, you can put in this at the bottom of your sshd_config file (make sure to set the default PasswordAuthentication as no!) Everywhere else would require pub key only
Code:
Match Address 423.36.214.6,323.456.35.6,732.646.88.32 User 273
PasswordAuthentication yes
Per the second issue, if you are worried your rpi could be compromised, set your ssh_config on your desktop to permit just password_auth.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Original Poster
Rep:
Thanks, I'd not thought of the IP restrictions. The friends are few but the locations and machines could be any OS anywhere in the world at least initially. We travel and we use computers which we don't own in hotels and the like.
I'm wondering now about a user account just for accessing media remotely...
a user account just for accessing media remotely...
I suggest creating a new user with no permissions to anything with a very strong password. Then give them the min amount to access the media, or write if you want but nothing else. Presume beforehand it is compromised, what would you be willing to let the account have access or write access too?
Do you need a interactive shell? If you're just accessing media, you could use the ftp procotol (sftp) or sshfs.
have a match statement would limit it in external connections only.
Subsystem sftp internal-sftp
AllowUsers *@192.168.1.*,limitedmedia
Match Address *,!192.168.1.* User limitedmedia
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp
Basically you are worried about two things:
Having just a password exposes you to cracking attempts (brute force or otherwise)
Having just a key pair exposes you to accidently permitting someone to get full access should you lose it. Plus, the media it's on is encrypted, so windows is out.
Try this:
Create a new ssh-keypair with rsa encryption, 4096 bit with 100 rounds (makes brute forcing the key more difficult)
Make sure to put in a strong password when it asks for it. This is not required but a smart thing to do
If you follow the command exactly, your keypair will be located at ~/ as outnabout_rsa (private key) and outnabout.pub (public)
Code:
ssh-keygen -t rsa -b 4096 -a 100 -f ~/outnabout_rsa
Windows putty will not be able to open this file, however can convert it. When you have time get both keypairs. If windows putty cannot convert the key because it's encrypted, re-generate the key without the password and then convert the key.
Don't store this key on any encrypted medium windows cannot access, even if it doesn't have a password.
Now, let's setup your openssh server so that you can only access if you have both the key and password. But only from a external network and only permit your user to login
Code:
# Allow all users to login from lan, and 273 from anywhere
AllowUsers *@192.168.1.* 273
# If user 273 logs in from any address except starting with 192.168.1, match statement to require password and key to access
Match User 273 Address *,!192.168.1.*
PasswordAuthentication yes
AuthenticationMethods publickey,password
Append your public key to the servers ~/.authorized_keys (or use ssh-copy-id).
Now, even if someone knows your password, they cannot access unless they have your key. Same for vice versa, if they have your key but not your password it's still useless.
If you encrypt your key, it's even more useless
It's a bit overkill, so it only applies to external networks and your username.
Feel free to copy this private key to your own account of each of your friends (only this key!). But if you do this, there is one loose end we need to tie up.
We need to make sure that the private key can only be used from external networks. Technically, if your friends at some point go into your lan, they would have full access to your server.
Edit the ~/.authorized_keys file and go to your public key line. (If you just added it, it's at the bottom)
the line should start with ssh-rsaAAAAblahblah
Prepend it with the following which means, any network but anything starting with 192.168.1.
Code:
from="*,!192.168.1.*"
so it looks like this:
Code:
from="*,!192.168.1.*" ssh-rsaAAAAblahblah
Now the key is only useable in a external network, where if used requires a password & key auth. However is useless in LAN. Since you created it only for this purpose, it's perfect.
Use your normal private key to do everything else.
Another option would be a dongle like Yubikey to provide one-time passwords for that account. That would entail carrying something around but you would not have to worry about a key or password getting reused by keyloggers on the Windows machines.
Putty, along with its ssh-agent ("pageant" ... cute, huh?) ought to be able to do all of the things you need with regards to digital certificates. Including the handling of encrypted ones.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.