[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile

From: Karl Goetz
Subject: Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile
Date: Thu, 29 Mar 2012 21:12:10 +1100

On Tue, 27 Mar 2012 21:19:53 +0200
address@hidden (Michał Masłowski) wrote:

> > This guide [1] recommends to change ListenAddress to and
> > Port to 666. (I want to use another port (and another address). Does
> > it matter? 666 is used by Doom. [2])
> It's ok if you don't use Doom or other services on port 666 and your
> firewall/ISP doesn't prevent you from connecting to it.  For correctly
> configured sshd, changing port should just lower the amount of login
> attempts by bots, it's practically impossible for them to succeed when
> only public key authentication is enabled (and they don't know your
> private key and you haven't used a bad random number generator to make
> the key pair).

I'd also suggest installing 'fail2ban'. Work out of the box with SSH,
helps prevent dictionary attacks and can be configured to work with
dozens of other services.

> > How to use SSH with a non-standard port? Will it be something like
> > this: ssh -i ~/.ssh/id_rsa <server's ip>:<new port number>?

You used -i earlier as well. If you only have one key for your user,
ssh will pick the correct one by default. No need to specify.

> > Is there a need for a username@ prefix before the server's ip (I
> > changed PermitRootLogin to no)?

If you log in with the same username on both hosts, you can leave it.

> I have this fragment in ~/.ssh/config:
> Host parabola
>      Port 1863
>      HostName
>      User repo
>      IdentityFile ~/.ssh/id_rsa
> If I don't specify the username@ prefix when connecting to parabola,
> it will connect as user "repo" (by default the local user name is
> used).

Using .ssh/config is good advice, and I'd definitely suggest you try it
out. I've got ~15 different Host entries, some of which contain
wildcards (eg * Helps if any defaults need setting, or
if you want to use rsync over ssh.

Karl Goetz, (Kamping_Kaiser / VK7FOSS)
No, I won't join your social networking group
*** I've changed GPG key to 6C097260 ***

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]