[CentOS] ssh attack

Tue Feb 14 08:24:34 UTC 2006
Will McDonald <wmcdonald at gmail.com>

On 14/02/06, Barry Brimer <barry.brimer at bigfoot.com> wrote:
> > Right now I use passwords for some ssh connections, and passwordless ssh
> > for crontab rsyncs, using passwordless rsa keys. (When it asked to enter
> > a password for ssh-keygen I just hit enter). Does this leave me
> > vulnerable? Is there a how-to on this that explains how to use ssh-agent
> > with keys with passes?
> I recommend Keychain <http://www.gentoo.org/proj/en/keychain/>.  With
> keychain, you can log in and unlock your keys and allow your ssh
> communications to use them as needed.  You do have to unlock them after
> each reboot.

As Barry says, Keychain is very useful, especially for situations
where you want a script to connect to another system unattended but
want to avoid passwordless keys. There were some decent how-tos on IBM
Developerworks ages ago...


I believe some of the options Keychain accepts have have changed since
the article was written but it's still useful.

I have SSHd setup similarly to...

Port 2220
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
SyslogFacility AUTHPRIV
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
IgnoreRhosts yes
PasswordAuthentication no
X11Forwarding yes

In scripts which require the facility to connect "passwordlessly" to
other hosts generate a new keypair with a strong password for the user
the script will run as. In one of the user's initialisation scripts
(.bashrc/.bash_profile) add the following...

keychain --clear --nogui id_rsa

And then in the script itself source the keychain agent authentication

[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh

Anyone logging into the system as the user will need to enter the
password for the keypair to see/use the ssh-agent authentication
information but scripts will be able to use it without intervention.