Topic: secure remote SSH admin

[Anthony]

I have a need to logon via SSH remotely to my server while I am on the road.
Looking at security I noted that on the remote access page I can chose to
not allow access via standard passwords.   (e.g. you set it to NO,  now it asks for a password but they just don't work).
However the E-smith manual does not really explain how to set this up.

These are steps I took:

1)   Created a new user, called him 'remote'.
2)  Changed the shell of remote (chsh -s /bin/bash remote)  (this way you can actually log on as remote - assuming you want to avoid logging on as root)
3)  Logged on as remote and issued ssh-keygen (this creates the keys)
4)  Typed in a very long and convoluted passkey (make it as wierd as you like)
5)  copied identity.pub to authorized_keys (this is in the .ssh folder of remote)
6)  copied 'identity' to my laptop (this is from the .ssh folder of remote)
7)  Via the webpanel set e-smith to not allow remote access via standard passwords.

Now I attach via Putty but use 'identity' as the private key when connecting.
I logon as remote and am prompted for the pass phrase.   I enter that and am
now logged on.   If I want to SU I can now enter the root password.

The result is that to log onto my system you need the public key, you need to know that the only user who can log on is 'remote' and you need to know the pass phrase for remote.

Can anyone comment on my methods (either way).  
Could I get any more secure (apart from turning off public SSH....)

[Filippo Carletti]

> 6)  copied 'identity' to my laptop (this is from the .ssh
> folder of remote)

How did you copy it ?
 
> The result is that to log onto my system you need the public
> key, you need to know that the only user who can log on is
> 'remote' and you need to know the pass phrase for remote.

The pass phrase for remote's key.

> Can anyone comment on my methods (either way).  
> Could I get any more secure (apart from turning off public
> SSH....)

Keys can (and should) be created on your laptop, I didn't check putty recently, a keygen was planned. You could run linux or cygwin on your laptop and use openssh.
Private key is better transfered by floppy or other safe way.
I don't think there's a big difference in using your key to log on as remote or as root.
A keylogger on your laptop could reveal every password.

Ciao,
Filippo

[Steven Reeves]

By default SSH2 uses public key right?  So why do you need to transfer the key to your laptop?

Or did I miss the entire point.

[Tom Carroll]

Anthony, do you have to have the allow password option set to NO for the public key procedure to work properly?

I'm asking because I am presently away from my server and have already locked myself out once and was able to talk someone through the procedure to change the allow password option back to yes so I could get back in.  However, when I try to log in with the SSH2 RSA key method, while the password option is set to yes,  it tells me the key is rejected and asks for the password.  Does that sound right?

I need to do the exact same thing you are doing with PuTTY.  However, I am using the PuTTYgen key generator.  Should I be making SSH1 RSA keys?

I tried your method and it still didn't work, but I still had the password option set to yes.

Thanks!

Tom Carroll