Extra-secure use of SSH: Disabling key exchange?

orbited · Jul 3, 2009

I've set up SSH on my mac server in order to pipe this, that and the other from the server to my Macbook from anywhere where I have access to the net. Everything works extremely well. But, I'm looking for a way to further secure the solution.

When an unknown client connects to the SSH-server, the two machines exchange public keys. This is part of the normal SSH process. However, since I will only access the server from a very, very limited number of machines I'd like to turn off authentication of any new clients.

My thinking goes a little something like this. I've already exchanged keys with all the computers I'm going to access the server. And right now, even though SSH itself is secure, the weakest link in the chain is my still my password. By not allowing new keys to be exchanged someone would, beside knowing/guessing my password, also need access to my Macbook. That would increase security considerably.

Can this be done? If so, how? I'm not afraid to hack conf-files, so even if the solution is very technical, spill it!

Best,

/ Jonathan

KoolStar · Jul 3, 2009

Here is my thoughts on the question.

Try this slide77. In your sshd_config file AllowUsers directive set that to only you and PermitRootLogin to no. Generate a ssh key on you macbook or other devices and place it on the server. If you are trying to gain access to files remotely the better way to do this is with scp and other tools.

This is list o various ways I can push and pull content.

Pull
rsync -r -v --progress -e ssh root@remote-server:/original/path /destination/path/
scp foobar@hostB:~/myfile.txt /local/destination/path/
Copy a folder from one host to another by adding option -r
scp -r foobar@hostB:/remote/folder

Copy from one host to another with different ssh account.
scp foobar@hostB:~/myfile.txt root@hostF:~/

ssh target_address cat remotefile > localfile

Push
scp myfile.txt foobar@hostB:/remote/send/to/path
ssh target_address cat <localfile ">" remotefile

tar -czf - /some/file | ssh root@192.168.2.100 tar -zxvf - -C /destination

scp -c blowfish -C Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/
scp -c blowfish Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/
scp Windows_LAMP_and_ASP_install_files.folder.tar root@192.168.2.10:/home/ #FASTEST
tar -czf - Windows_LAMP_and_ASP_install_files.folder.tar | ssh root@192.168.2.10 tar -zxvf - -C /home/

Push a directory on port 8008
scp -P 8008 -r /home/share root@192.168.2.4:/home/

rsync -e 'ssh -ax -c blowfish -p8008' -avz --progress /media/music/ root@192.168.2.9:/home/share/music/

rysnc with resume
rsync -r --partial --progress --ignore-existing --append --rsh=ssh my-local-folder-name user@destination-server:

Push and delete empty directories and extra files on the receiver.
rsync -r --partial --progress --ignore-existing --append --prune-empty-dirs --delete

Use this to test --dry-run and this to exclude certain files or directories --exclude='lost+found'

orbited · Jul 4, 2009

Thanks for your reply KoolStar,

However, it was not quite what I was after. I tunnel AFP and VNC traffic (among others) though SSH and I find that much more flexible and intuitive than using scp.

The AllowUsers directive doesn't quite help me either. The password is still the weak link and the computer remain susceptible to a brute force attack. Also, I'm the only user on the server.

What I'm after, like I said, is if there's a way to disable the server sshd from accepting new keys. Maybe its not possible?

Best,

/ Jonathan

Extra-secure use of SSH: Disabling key exchange?

orbited macrumors newbie

KoolStar macrumors demi-god

orbited thread starter macrumors newbie

Share This Page

Touch Arcade

YouTube

Useful Searches

Extra-secure use of SSH: Disabling key exchange?

orbited macrumors newbie

KoolStar macrumors demi-god

orbited thread starter macrumors newbie

Share This Page