On 01/04/2008, Russell L. Harris <[EMAIL PROTECTED]> wrote:
>
> SYSTEM:
>
> (1) firewall/router (SmoothWall Express 2.0) which (using NAT)
> provides and protects both a "green" zone for a LAN and an
> "orange" zone ("DMZ") for a publicly-accessible server
>
> (2) ftp or http server in the DMZ
>
> (3) desktop machine in the LAN from which the sysop maintains the
> server
>
> SITUATION:
>
> It is convenient to use "scp" for transferring files between the
> desktop machine in the LAN and the server, and to use "ssh" for
> remote maintenance of the server, again from the desktop machine
> in the LAN. And to eliminate the constant typing of password,
> ssh-agent can be installed.
>
> Such remote maintenance of the server from a machine in the LAN
> becomes tedious unless there is on each machine an account with
> the same username, password, and passphrase.
>
> QUESTION:
>
> Is there a major or unreasonable security risk if the sysop
> creates on the server an account with the same username, password,
> and passphrase as his account on the desktop machine? That is, if
> the server is compromised, should the sysop change his password,
> passphrase, etc.?
>
> If so, what is the recommended alternative? Is there a HOWTO on
> this subject?
>
> RLH
Hey,
There is definately an alternative. ssh can authenticate using public keys.
`ssh-keygen` generates a public and private keypair. Echo the public
portion into ~/.ssh/authorized_keys on the dmz server and keep the private
portion with the sysop. Copy the private key portion into ~/.ssh on the
hosts that the sysop is using and you won't need a password.
This works cross user. [EMAIL PROTECTED] can login to [EMAIL PROTECTED]
provided she
has the private key and the public key is in bob's authorized_keys file.
To enable this you need to uncomment/add to /etc/ssh/sshd_config:
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
HTH,
cheers,
Owen.
--
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>
