Extra-secure use of SSH: Disabling key exchange?

Discussion in 'Mac Basics and Help' started by orbited, Jul 3, 2009.

  1. orbited macrumors newbie

    Joined:
    Jul 1, 2009
    #1
    I've set up SSH on my mac server in order to pipe this, that and the other from the server to my Macbook from anywhere where I have access to the net. Everything works extremely well. But, I'm looking for a way to further secure the solution.

    When an unknown client connects to the SSH-server, the two machines exchange public keys. This is part of the normal SSH process. However, since I will only access the server from a very, very limited number of machines I'd like to turn off authentication of any new clients.

    My thinking goes a little something like this. I've already exchanged keys with all the computers I'm going to access the server. And right now, even though SSH itself is secure, the weakest link in the chain is my still my password. By not allowing new keys to be exchanged someone would, beside knowing/guessing my password, also need access to my Macbook. That would increase security considerably.

    Can this be done? If so, how? I'm not afraid to hack conf-files, so even if the solution is very technical, spill it! ;)

    Best,

    / Jonathan
     
  2. KoolStar macrumors demi-god

    KoolStar

    Joined:
    Oct 16, 2006
    Location:
    Kentucky
    #2
    Here is my thoughts on the question.

    Try this slide77. In your sshd_config file AllowUsers directive set that to only you and PermitRootLogin to no. Generate a ssh key on you macbook or other devices and place it on the server. If you are trying to gain access to files remotely the better way to do this is with scp and other tools.

    This is list o various ways I can push and pull content.

    Pull
    rsync -r -v --progress -e ssh root@remote-server:/original/path /destination/path/
    scp foobar@hostB:~/myfile.txt /local/destination/path/
    Copy a folder from one host to another by adding option -r
    scp -r foobar@hostB:/remote/folder

    Copy from one host to another with different ssh account.
    scp foobar@hostB:~/myfile.txt root@hostF:~/

    ssh target_address cat remotefile > localfile

    Push
    scp myfile.txt foobar@hostB:/remote/send/to/path
    ssh target_address cat <localfile ">" remotefile

    tar -czf - /some/file | ssh root@192.168.2.100 tar -zxvf - -C /destination

    scp -c blowfish -C Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/
    scp -c blowfish Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/
    scp Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/ #FASTEST
    tar -czf - Windows_LAMP_and_ASP_install_files.folder.tar | ssh root@192.168.2.10 tar -zxvf - -C /home/

    Push a directory on port 8008
    scp -P 8008 -r /home/share root@192.168.2.4:/home/

    rsync -e 'ssh -ax -c blowfish -p8008' -avz --progress /media/music/ root@192.168.2.9:/home/share/music/

    rysnc with resume
    rsync -r --partial --progress --ignore-existing --append --rsh=ssh my-local-folder-name user@destination-server:

    Push and delete empty directories and extra files on the receiver.
    rsync -r --partial --progress --ignore-existing --append --prune-empty-dirs --delete

    Use this to test --dry-run and this to exclude certain files or directories --exclude='lost+found'
     
  3. orbited thread starter macrumors newbie

    Joined:
    Jul 1, 2009
    #3
    Thanks for your reply KoolStar,

    However, it was not quite what I was after. I tunnel AFP and VNC traffic (among others) though SSH and I find that much more flexible and intuitive than using scp.

    The AllowUsers directive doesn't quite help me either. The password is still the weak link and the computer remain susceptible to a brute force attack. Also, I'm the only user on the server.

    What I'm after, like I said, is if there's a way to disable the server sshd from accepting new keys. Maybe its not possible?

    Best,

    / Jonathan
     

Share This Page