[NBLUG/talk] I'm getting ssh scanned! Should I be worried?

Dave Sisley dsisley at arczip.com
Sat Oct 23 08:00:34 PDT 2004 

Thanks, Augie!

On Fri, Oct 22, 2004 at 10:24:19PM -0700, Augie Schwer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Mon, 18 Oct 2004 11:28:36 -0700, Dave Sisley <dsisley at arczip.com> wrote:
> > Then I generated some ssh key pairs on my home machine and the laptop
> > I usually log in from (as well as on my sonic shell account - see more
> > below).
> > My only hesitation was that setting up ssh this way would prevent me
> > from logging in to my home box from some machine when I hadn't put the
> > public key from that remote machine into the authorized_keys2 file of
> > my home machine.
> 
> You don't have to create all these key pairs if you don't want to.
> One key pair would suffice.
> 
> Just create one key pair; keep the private key only on trusted
> machines and upload the private key to the servers you want
> to log on to.

Hmmm... I'm confused (obviously).  Since the goal is to be able to log
into my home box from a few trusted machines, I thought I needed to
generate key pairs on each of those machines and provide the public
key from the remote machines to my home machine.  This is done by
appending the remote machine's public key to my home box's
authorized_keys2 file.

Are you saying I could just have just created a pair on the home box
and used the public key from that set?  It sounds like I got it
backwards (except that it works!).

>  
> > To work around this issue, I figured out a scheme (which you are all
> > encouraged to critique).  Since I have shell access at sonic, I just
> > set up a key pair between that server and my home box.  So, when I'm
> > at school or anywhere else, I can log in to my sonic account with a
> > password and then reach my home machine from there.  I also considered
> > Frank's suggestion to carry my home key with me on a floppy (or other
> > medium), but I knew I would forget to lug it around.
> 
> Frank is absolutely right; do not ssh from un-trusted machines, and
> do not keep your private keys on un-trusted machines.
> 

I'm not sure what you mean here.  I should consider the sonic account
to be un-trusted?  As for not keeping my private keys on an un-trusted
machine, do you mean the private key from my home box (because that
makes sense - that private key stays on that machine).  Or do you mean
I should not keep the private key generated on the sonic machine on
the sonic machine?  In which case, how do I log into my home box from
there?

- Or is the larger point that I should not be logging in via sonic?

> > I'd also like to use a non-standard port for ssh, but I've run into
> > some confusion; I must be missing something.  I thought that all I
> > need to do is edit sshd_config so that the daemon is listening on the
> > new port:
> > #Port 22
> > Port <some really high number, above 1024>
> > Now restart sshd.
> > Then, when I log in from a remote box, I just need to tell ssh to use
> > that new port number:
> > ssh -p <really high number> me at my.home.machine
> > Unfortunately, I get a 'connection refused' message.  I even tried
> > regenerating the keys on the remote box and rebooting my home machine
> > (in case some service other than sshd needs restarting).
> > Anybody know what I'm missing?
> 
> That's all it should take. Does it work when you change it back to the
> standard port?
> 
> What does ssh -v me at my.home.machine say?

I made another attempt to change the port number, and I can log into
the home box from my laptop with the new port number, but I can't from
outside via my sonic account.  Here is the verbose output from the
sonic terminal (with certain details mangled becase I am paranoid).


$ ssh -v -p 12345 me at my.home.machine
OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f
debug1: Reading configuration data /opt/openssh-3.2.3p1/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 36195 geteuid 36195 anon 1
debug1: Connecting to my.home.machine [ip address] port 12345.
debug1: temporarily_use_uid: 36195/501 (e=36195)
debug1: restore_uid
debug1: temporarily_use_uid: 36195/501 (e=36195)
ssh: connect to address <ip address> port 12345: Connection refused
debug1: restore_uid

So now the only thing that's changed is the port on which sshd is
listening.  Why can't I get in?  I can't think of what setting would
only allow me to log in via port 22.

Thanks again for the help!  

-dave.

-- 
Dave Sisley
dsisley at arczip.com
roth-sisley.net

More information about the talk mailing list