Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-01-2007, 01:23 AM
|
#1
|
LQ Newbie
Registered: Mar 2007
Distribution: Kubuntu edgy-eft
Posts: 3
Rep:
|
SSH login alias
Is it possible to create a login alias in openssh?
What I mean is:
When I login to my home box locally (ie physically from the machine) I don't need a really secure username and pass. Everyone who has physical access to my computer knows my username and, well, they wouldn't have the time or the tools to crack my pass.
But what if I want to login remotely with ssh? Now a simple username and simple pass won't do. The script kiddies would catch on immeditely.
So I want to be able to login with 'foo/foopass' locally, but when accessing my computer remotely, do NOT allow foo/foopass; instead, have something like b4R/b4Rp4$$!! and only allow that. And I don't mean just creating a new account named b4R, but make an alias so that b4R == foo, but only when logging in remotely.
And keys are not an option, they confuse me and I can't figure out how to get them to work in portable filezilla.
I'm sure this can be done in some PAM module but I am still very new to this so someone, please bear with me
|
|
|
04-01-2007, 04:35 PM
|
#2
|
Senior Member
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075
Rep:
|
Interesting question - you can obviously login *from* a user account that doesn't match your server account, but I don't know whether OpenSSH can remap account names at the server.
I have to say that this won't increase or decrease your security, though. In practice, an Internet-connected computer with port 22 (SSH) open will be picked up by automated scanners within a few days. These try password guessing against common usernames ("root", "admin", etc.). You can stop them with any uncommon username, or by running SSH on a different port - they are sweeping thousands of addresses to find the one or two that are easy to crack.
If someone knows an account name and really wants to get into your system then they can run password crackers against the account until they eventually get the password, or you block their address (install DenyHosts or fail2ban to automatically block persistent login attempts). The main defense against password-guessing is key-based authentication.
Key-based authentication is well worth doing - not only does it stop password attack, but it also makes using SSH a very smooth experience, since connections don't stop to prompt you for a username and password.
|
|
|
04-11-2007, 11:27 AM
|
#3
|
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
|
Quote:
Originally Posted by hob
If someone knows an account name and really wants to get into your system then they can run password crackers against the account until they eventually get the password, or you block their address (install DenyHosts or fail2ban to automatically block persistent login attempts). The main defense against password-guessing is key-based authentication.
Key-based authentication is well worth doing - not only does it stop password attack, but it also makes using SSH a very smooth experience, since connections don't stop to prompt you for a username and password.
|
If key-based authentication is implemented properly, you'll still be prompted for a passphrase. The passphrase will be for the key itself. Authenticating with the key can be made transparent by using ssh-agent, which holds private keys used for public key authentication. The agent will ask for the passphrase when adding the key to the agent, but once that is done, there is no longer a need to continue to authenticate, as the agent functions as a repository for the key and passphrase.
IMO, using private keys without establishing a passphrase is a very bad practice. The implications aren't so bad if the key is isolated and the opportunity for theft of the key is minimal, but if you're keeping a private key that has no passphrase on, for instance, a USB fob, and that fob gets lost, stolen, or is out of your sight for extended amounts of time (maybe on your desk while at lunch or a similar scenario), trust has been lost.
I know of many people using keys but not establishing passphrases on those keys. I've also seen this in enterprise environments, where one unprotected key is being utilized with hundreds of machines. Admins typically (in my experience) tend to follow the path of least resistance and, in this case, this is definitely bad.
|
|
|
04-11-2007, 02:37 PM
|
#4
|
Senior Member
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075
Rep:
|
Quote:
Originally Posted by unixfool
If key-based authentication is implemented properly, you'll still be prompted for a passphrase. The passphrase will be for the key itself. Authenticating with the key can be made transparent by using ssh-agent, which holds private keys used for public key authentication. The agent will ask for the passphrase when adding the key to the agent, but once that is done, there is no longer a need to continue to authenticate, as the agent functions as a repository for the key and passphrase.
<SNIP>
|
That's a good clarification.
Having to enter passphrases once after logging in doesn't break my flow at all, whilst login boxes popping up for each connection are a noticable distraction. It's very pleasant not to have that happen, so I'm a big fan of key-based authentication.
|
|
|
All times are GMT -5. The time now is 06:38 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|