Wednesday, June 24, 2009

OSX SSH / Remote Login - prevent brute force password attacks with a Key and Passphrase

If you have a machine on the internet that you can connect to via SSH, then you should consider disabling password access and use only key / passphrase.

First you need to create a key on the client machine

$ ssh-keygen -t dsa -f ~/.ssh/id_dsa
(Enter passphrase)

The can be of the form, or just fred. For example, to get to my machine at home from the Internet I login as

$ ssh

so thats what I put in for the key. However, when I am at home, I don't need FQDN or a different account name, so

$ ssh server

will do. Either is good.

next you need to
copy the key to the remote server
$ scp ~/.ssh/ remoteserver:
user@server's password:

Then you need to login to the remote server:

$ ssh user@remoteserver:
user@server's password:

then you need to copy the key into the authorized keys file:
$ cat >> .ssh/authorized_keys2
$ chmod 600 .ssh/authorized_keys2

if you get an error about "
authorized_keys2" not being available, its likely because the account on remote machine has never SSH'd to anywhere else. So SSH to somewhere and try again.

now, when you do

$ ssh remoteserver

you should get the SSH-AGENT dialog box

When this is working, you can then turn off password authentication. On the remote machine opne the sshd_config file

$ nano /private/etc/sshd_config

and locate the lines below, removing the #

PasswordAuthentication no
ChallengeResponseAuthentication no

restart SSH and you are good to go

on the client you can manage your SSH identities for example:

to list the identities
$ ssh-add -l

to delete all identities, which you might want to do if you are doing a key re-fresh

$ ssh-add -D
All identities removed.

more at the man page

No comments: