Go Back   The macosxhints Forums > OS X Help Requests > OS X Server



Reply
 
Thread Tools Rate Thread Display Modes
Old 01-11-2010, 08:49 PM   #1
cpragman
All Star
 
Join Date: Jan 2004
Location: Limerick, PA
Posts: 777
SSH RSA keys security question

I want to make sure I haven't made a security mistake in setting up my RSA keys in configuring SSH. The SLS manual contains a guide that has the private key stored on the server, and the public key stored in a authorized_keys2 file on the remote mac I will be connecting from. In practice, this seems to bypass the password protection I specified when I ran keygen (I am not being prompted for the key password). It also seems to be opposite what I have read on a lot of websites regarding how to setup SSH.

Suggestions?
cpragman is offline   Reply With Quote
Old 01-11-2010, 10:24 PM   #2
acme.mail.order
League Commissioner
 
Join Date: Sep 2003
Location: Tokyo
Posts: 6,263
Other way round. The private key stays on YOUR computer (hence 'private') and the public key goes in the ~/.ssh/authorized_keys file on the computer you want to connect to. If it's done properly you won't be asked for a password when you log in again - that's the whole point of public/private keys.
acme.mail.order is offline   Reply With Quote
Old 01-12-2010, 06:59 AM   #3
fracai
MVP
 
Join Date: May 2004
Posts: 2,078
Though it would probably be a good idea to not use a passphrase-less key-pair. If your private key ever gets out, anyone can login to your machines just as you would. It'd be better to use a passphrase that can be cached by the system Keychain or gpgagent.
fracai is offline   Reply With Quote
Old 01-12-2010, 08:32 AM   #4
cpragman
All Star
 
Join Date: Jan 2004
Location: Limerick, PA
Posts: 777
So is the apple manual wrong, or did I just read it wrong?

Strangely, after setting it up backwards, I've been able to log in to the server fine! Is there a setting I needto change to REQUIRE the use of RSA keys, and deny attempts without the key?
cpragman is offline   Reply With Quote
Old 01-25-2010, 05:53 AM   #5
cpragman
All Star
 
Join Date: Jan 2004
Location: Limerick, PA
Posts: 777
Got it working right finally. Put the private key on my laptop, and the public key on the server and now I can login without a password.

What was confusing me was that I was being offered a password prompt when logging in, and was able to successfully connect when I entered it. After reading more, what I see was that the RSA key was not working, and SSH was dropping back to password authentication. Since I knew the correct password (mine), I was getting successfully logged in anyway.

Taking a look at the secure.log shows me the server is undergoing a constant stream of dictionary attacks, so next I read some more about SSH, and was able to completely turn off password authentication (in /etc/sshd_config), so that only RSA keys can get you in. That's a nice feature!
cpragman is offline   Reply With Quote
Reply

Tags
rsa, ssh

Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 09:43 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.