[TAG] Question about restricting SSH access and open access to a specific computer
raj at rajshekhar.net
Mon Jan 16 19:54:45 MSK 2006
in infinite wisdom Suramya Tomar spoke thus On Saturday 14 January 2006
> Hi Everyone,
> I have a question for you regarding restricting access to my computer.
> I am running a Debian system and have SSH (OpenSSH_4.2p1) running. I use
> IPtables to restrict SSH access to a selected set of IP's.
> Now the problem I am facing is that while I am in India my public IP
> changes at random intervals so every day or so I have to login to my
> server via another system who's IP thankfully doesn't change and give my
> public IP access to that system. While this is not a big deal its still
> a pain to do.
> Now I don't want to open access to the entire C network for my IP in
> India but want to make my life easier. So was wondering if there was
> some other way of limiting access that limited access to a specific IP
> set but also let me authenticate using a token or something?
Instead of restricting users based on their IPs why not use ssh key
based authentication ? Copy your id_dsa.pub or id_rsa.pub keys to the
~/.ssh/authorized_keys file (in your server) and set
PasswordAuthentication to No in /etc/ssh/ssh_config (a good idea before
disabling password authentication will be first test if you key based
authentication works or not). Check here for more ssh agent magic
The only caveat that I can think of this method is if you lose your
~/.ssh or if you want to login from someplace other than your own box.
One of my friends carries his ssh & gpg keys everywhere with him in a
small pocket sized cd. I have my ssh keys on my work desktop, which is
behind a DMZ.
If you have been plagued by bots trying to brute force into your
machine, another option is to run ssh on some different port.
_.-, raj shekhar
.--' '-._ http://rajshekhar.net
_/`- _ '. http://rajshekhar.net/blog
` \; WE APOLOGIZE FOR THE INCONVENIENCE
;_\ -- God's Last Message to his Creation
More information about the TAG