[TAG] Question about restricting SSH access and open access to a specific computer
Raj Shekhar
raj at rajshekhar.net
Mon Jan 16 19:54:45 MSK 2006
in infinite wisdom Suramya Tomar spoke thus On Saturday 14 January 2006
08:54 PM:
> Hi Everyone,
> I have a question for you regarding restricting access to my computer.
> I am running a Debian system and have SSH (OpenSSH_4.2p1) running. I use
> IPtables to restrict SSH access to a selected set of IP's.
>
> Now the problem I am facing is that while I am in India my public IP
> changes at random intervals so every day or so I have to login to my
> server via another system who's IP thankfully doesn't change and give my
> public IP access to that system. While this is not a big deal its still
> a pain to do.
>
> Now I don't want to open access to the entire C network for my IP in
> India but want to make my life easier. So was wondering if there was
> some other way of limiting access that limited access to a specific IP
> set but also let me authenticate using a token or something?
Instead of restricting users based on their IPs why not use ssh key
based authentication ? Copy your id_dsa.pub or id_rsa.pub keys to the
~/.ssh/authorized_keys file (in your server) and set
PasswordAuthentication to No in /etc/ssh/ssh_config (a good idea before
disabling password authentication will be first test if you key based
authentication works or not). Check here for more ssh agent magic
http://www.securityfocus.com/infocus/1812
The only caveat that I can think of this method is if you lose your
~/.ssh or if you want to login from someplace other than your own box.
One of my friends carries his ssh & gpg keys everywhere with him in a
small pocket sized cd. I have my ssh keys on my work desktop, which is
behind a DMZ.
If you have been plagued by bots trying to brute force into your
machine, another option is to run ssh on some different port.
--
_.-, raj shekhar
.--' '-._ http://rajshekhar.net
_/`- _ '. http://rajshekhar.net/blog
'----'._`.----. \
` \; WE APOLOGIZE FOR THE INCONVENIENCE
;_\ -- God's Last Message to his Creation
More information about the TAG
mailing list