On 19Jun2008 17:01, jeff@xxxxxxxxxx <jeff@xxxxxxxxxx> wrote: | The first thing I did was on my workstation (that I ssh from) is create a | public/private key pair and installed the public key in | ~/.ssh/authorized_keys2, and disabled the password authentication in the | /etc/ssh/sshd_config and everything so far works great. You should also disable PermitRootLogin and set up an AllowUsers line in sshd_config; this gives you tighter control. | My issue I came up with is one of the systems sits on my home network behind | a firewall, it would be nice if I can only require the public key for | systems not on my local network, eg only the systems on the internet must | be known. For why? Run an ssh-agent in your shell. Add your key to the agent. Use ssh (which will silently use the key) to connect regardless. Seriously, this is much more secure (because you never set up an insecure ssh) and in the long run more convenient. | I guess telnet is an option since it is blocked at the firewall. It's an option, but poor. | Next question/problem is, if I create an account for somebody to use when | connecting to the system, I must put their public key in their home | directory, can it be done the reverse? In other words can I provide them | a key for the system and if they don't have that key they can not connect | to the system. Sure - it just means you make the key first. But that has two problems: 1) you know the passphrase to the key - only they should know it and 2) you have to get the _private_ key to the securely. Putting it on a USB thumb drive and physically handing it to them might do (2), provided you then scrub the USB thumb drive and ensure they install the private key securely. If they make the key, they just send you the public half, which can be sent more openly, since it does not need to be secret. Or course, there is the issue of ensuring that a key that arrives in email really came from the user you intent to grant access to... A phone call can be used for this. -- Cameron Simpson <cs@xxxxxxxxxx> DoD#743 http://www.cskk.ezoshosting.com/cs/ -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
