Wednesday, June 24, 2009

OSX SSH / Remote Login - prevent brute force password attacks with a Key and Passphrase

If you have a machine on the internet that you can connect to via SSH, then you should consider disabling password access and use only key / passphrase.

First you need to create a key on the client machine

$ ssh-keygen -t dsa -f ~/.ssh/id_dsa username@domain.com
(Enter passphrase)

The username@domain.com can be of the form fred@google.com, or just fred. For example, to get to my machine at home from the Internet I login as

$ ssh name@server.domain.com

so thats what I put in for the key. However, when I am at home, I don't need FQDN or a different account name, so

$ ssh server

will do. Either is good.

next you need to
copy the key to the remote server
$ scp ~/.ssh/id_dsa.pub remoteserver:
user@server's password:

Then you need to login to the remote server:

$ ssh user@remoteserver:
user@server's password:

then you need to copy the key into the authorized keys file:
$ cat id_dsa_something.pub >> .ssh/authorized_keys2
$ chmod 600 .ssh/authorized_keys2

if you get an error about "
authorized_keys2" not being available, its likely because the account on remote machine has never SSH'd to anywhere else. So SSH to somewhere and try again.

now, when you do

$ ssh remoteserver

you should get the SSH-AGENT dialog box


When this is working, you can then turn off password authentication. On the remote machine opne the sshd_config file

$ nano /private/etc/sshd_config

and locate the lines below, removing the #

PasswordAuthentication no
ChallengeResponseAuthentication no

restart SSH and you are good to go

on the client you can manage your SSH identities for example:

to list the identities
$ ssh-add -l

to delete all identities, which you might want to do if you are doing a key re-fresh

$ ssh-add -D
All identities removed.

more at the man page developer.apple.com/documentation/Darwin/Reference/ManPages/man1/ssh-add.1.html

No comments: