This will work if you have no passphrase on your RSA key. This is a *really* stupid thing to do, IMHO, especially to a root account, as anyone who manages to get access to your ~/.ssh/identity file will be able to log into any host that you have set this up on, without a password. While it's a little more secure than .rhosts authentication, the absence of any kind of password/passphrase validation makes it (again IMHO) an undesirable option for the security conscious. --Adam -----Original Message----- From: Zachary McGibbon <mzac@uunet.ca> To: Roeland M.J. Meyer <rmeyer@mhsc.com> Cc: Benicio Miguel Sanchez Fuentes <bsanchez@alestra.com.mx>; NorthAm Net Ops Grp List <nanog@merit.edu> Date: Tuesday, September 29, 1998 1:42 AM Subject: Re: Remote Shell You can perform 'rsh' type commands with ssh as well... here's an example: /# ssh servername w root@servername's password: <type password here> 10:45pm up 19 days, 6:31, 2 users, load average: 0.18, 0.11, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root ttyp0 client 8:08pm 2:37m 0.27s 0.10s You can also setup authorized keys on the server side. In your home dir on the server, go into the '.ssh' dir, and create a file called 'authorized_keys', then on your workstation, type 'ssh-keygen'. In your home dir, go into '.ssh' and take the contents of 'identity.pub' and copy that to the 'authorized_keys' on the server side. Then 'chmod 600 authorized_keys' on the server side. Then it won't ask you for a password when you ssh to that machine. It's usefull if you want to set this up as a cronjob to do something on a remote machine. On Mon, 28 Sep 1998, Roeland M.J. Meyer wrote:
Set up SSH <http://www.datafellows.com> and open port 22. I would NOT allow plain ol' telnet over the Internet. SSH is free for non-commercial use and is works quite well under HP-UX.
At 01:32 PM 9/28/98 -0500, you wrote:
I need to give remote shell access to a user in a server (an HP-9000 k410 running HP-UX 10.10) conected to mine through a 3Com router, I have done some investigation and what I have found is that I have to open port 514 for tcp, for some reason this did not work, so I opened (temporarily of course) all the ports on the router....and it worked, but I donŽt want to leave it like that, Does anyone now what port(s) I need to leave open to alow the remote shells?.
Is there any configuration needed other than the equiv.hosts and (or) the .rhosts files ?
Thanks in advance for your answers
Benicio Sanchez Network Operations Engineer Alestra
_________________________________________________ Morgan Hill Software Company, Inc. Colorado Springs, CO - Livermore, CA - Morgan Hill, CA Domain Administrator MHSC2-DOM and MHSC3-DOM Administrative and Technical contact ____________________________________________ InterNIC Id: MHSC hostmaster (HM239-ORG) e-mail: <mailto:hostmaster@mhsc.com>mailto:hostmaster@mhsc.com web -pages: <http://www.mhsc.com/>http://www.mhsc.com/ ____________________________________________ A group of politicians deciding to dump a President because his morals are bad is like the Mafia getting together to bump off the Godfather for not going to church on Sunday. -- Russell Baker
Zachary McGibbon mzac@uunet.ca
I didn't come up with this one. But, for the truely security concious, the machine that has this kind of access has no lusers on it anyway. The hosts that our customers are on are administered, not administrators. Besides, for security reasons, only employees have shell accounts and even most of them do not, only SAs and developers, on as-needed basis. Our NOC machines don't even have developers (which is where this sort of thing would be done from). I think it's a cute idea and I'm going to try it. BTW, everyone here has WinNT as their workstation O/S. The Linux boxen are strictly servers, even me. At 01:16 AM 9/29/98 -0400, Adam D. McKenna wrote:
This will work if you have no passphrase on your RSA key. This is a *really* stupid thing to do, IMHO, especially to a root account, as anyone who manages to get access to your ~/.ssh/identity file will be able to log into any host that you have set this up on, without a password. While it's a little more secure than .rhosts authentication, the absence of any kind of password/passphrase validation makes it (again IMHO) an undesirable option for the security conscious.
--Adam -----Original Message----- From: Zachary McGibbon <mzac@uunet.ca> To: Roeland M.J. Meyer <rmeyer@mhsc.com> Cc: Benicio Miguel Sanchez Fuentes <bsanchez@alestra.com.mx>; NorthAm Net Ops Grp List <nanog@merit.edu> Date: Tuesday, September 29, 1998 1:42 AM Subject: Re: Remote Shell
You can perform 'rsh' type commands with ssh as well... here's an example:
/# ssh servername w root@servername's password: <type password here> 10:45pm up 19 days, 6:31, 2 users, load average: 0.18, 0.11, 0.09 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root ttyp0 client 8:08pm 2:37m 0.27s 0.10s
You can also setup authorized keys on the server side. In your home dir on the server, go into the '.ssh' dir, and create a file called 'authorized_keys', then on your workstation, type 'ssh-keygen'. In your home dir, go into '.ssh' and take the contents of 'identity.pub' and copy that to the 'authorized_keys' on the server side. Then 'chmod 600 authorized_keys' on the server side. Then it won't ask you for a password when you ssh to that machine. It's usefull if you want to set this up as a cronjob to do something on a remote machine.
On Mon, 28 Sep 1998, Roeland M.J. Meyer wrote:
Set up SSH <http://www.datafellows.com> and open port 22. I would NOT allow plain ol' telnet over the Internet. SSH is free for non-commercial use and is works quite well under HP-UX.
At 01:32 PM 9/28/98 -0500, you wrote:
I need to give remote shell access to a user in a server (an HP-9000 k410 running HP-UX 10.10) conected to mine through a 3Com router, I have done some investigation and what I have found is that I have to open port 514 for tcp, for some reason this did not work, so I opened (temporarily of course) all the ports on the router....and it worked, but I don´t want to leave it like that, Does anyone now what port(s) I need to leave open to alow the remote shells?.
Is there any configuration needed other than the equiv.hosts and (or) the .rhosts files ?
Thanks in advance for your answers
Benicio Sanchez Network Operations Engineer Alestra
_________________________________________________ Morgan Hill Software Company, Inc. Colorado Springs, CO - Livermore, CA - Morgan Hill, CA Domain Administrator MHSC2-DOM and MHSC3-DOM Administrative and Technical contact ____________________________________________ InterNIC Id: MHSC hostmaster (HM239-ORG) e-mail: <mailto:hostmaster@mhsc.com>mailto:hostmaster@mhsc.com
web -pages: <http://www.mhsc.com/>http://www.mhsc.com/ ____________________________________________ A group of politicians deciding to dump a President because his morals are bad is like the Mafia getting together to bump off the Godfather for not going to church on Sunday. -- Russell Baker
Zachary McGibbon mzac@uunet.ca
_________________________________________________ Morgan Hill Software Company, Inc. Colorado Springs, CO - Livermore, CA - Morgan Hill, CA Domain Administrator MHSC2-DOM and MHSC3-DOM Administrative and Technical contact ____________________________________________ InterNIC Id: MHSC hostmaster (HM239-ORG) e-mail: <mailto:hostmaster@mhsc.com>mailto:hostmaster@mhsc.com web -pages: <http://www.mhsc.com/>http://www.mhsc.com/ ____________________________________________ A group of politicians deciding to dump a President because his morals are bad is like the Mafia getting together to bump off the Godfather for not going to church on Sunday. -- Russell Baker
On Tue, 29 Sep 1998, Adam D. McKenna wrote:
This will work if you have no passphrase on your RSA key. This is a *really* stupid thing to do, IMHO, especially to a root account, as anyone who manages to get access to your ~/.ssh/identity file will be able to log into any host that you have set this up on, without a password. While it's a little more secure than .rhosts authentication, the absence of any kind of password/passphrase validation makes it (again IMHO) an undesirable option for the security conscious.
Well, you can use ssh-agent. Then its rsh equivalent and your identity is still protected. ---Ingo Luetkebohle, CTO dev/consulting Gesellschaft fuer Netzwerkentwicklung und -beratung mbH url: http://www.devconsult.de/ - fon: 0521-1365800 - fax: 0521-1365803
participants (3)
-
Adam D. McKenna
-
Ingo Luetkebohle
-
Roeland M.J. Meyer