[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile
From: |
Karl Goetz |
Subject: |
Re: [gNewSense-users] SSH: HostKey vs. AuthorizedKeysFile |
Date: |
Thu, 29 Mar 2012 21:12:10 +1100 |
On Tue, 27 Mar 2012 21:19:53 +0200
address@hidden (Michał Masłowski) wrote:
> > This guide [1] recommends to change ListenAddress to 192.168.0.1 and
> > Port to 666. (I want to use another port (and another address). Does
> > it matter? 666 is used by Doom. [2])
>
> It's ok if you don't use Doom or other services on port 666 and your
> firewall/ISP doesn't prevent you from connecting to it. For correctly
> configured sshd, changing port should just lower the amount of login
> attempts by bots, it's practically impossible for them to succeed when
> only public key authentication is enabled (and they don't know your
> private key and you haven't used a bad random number generator to make
> the key pair).
I'd also suggest installing 'fail2ban'. Work out of the box with SSH,
helps prevent dictionary attacks and can be configured to work with
dozens of other services.
> > How to use SSH with a non-standard port? Will it be something like
> > this: ssh -i ~/.ssh/id_rsa <server's ip>:<new port number>?
You used -i earlier as well. If you only have one key for your user,
ssh will pick the correct one by default. No need to specify.
> > Is there a need for a username@ prefix before the server's ip (I
> > changed PermitRootLogin to no)?
If you log in with the same username on both hosts, you can leave it.
> I have this fragment in ~/.ssh/config:
>
> Host parabola
> Port 1863
> HostName repo.parabolagnulinux.org
> User repo
> IdentityFile ~/.ssh/id_rsa
>
> If I don't specify the username@ prefix when connecting to parabola,
> it will connect as user "repo" (by default the local user name is
> used).
Using .ssh/config is good advice, and I'd definitely suggest you try it
out. I've got ~15 different Host entries, some of which contain
wildcards (eg *.gnewsense.org). Helps if any defaults need setting, or
if you want to use rsync over ssh.
thanks,
kk
--
Karl Goetz, (Kamping_Kaiser / VK7FOSS)
http://www.kgoetz.id.au
No, I won't join your social networking group
*** I've changed GPG key to 6C097260 ***
signature.asc
Description: PGP signature