ssh related

[schamarthi]

I am currently working on a linux (fedora 15) machine in my institute. I have a win7 OS at home with bitwise tunnellier software.

I would like to transfer some files from my office system to home system using the ssh connection(like ftp). can some one guide me about the steps in this regard, i can log into my office system (from bitwise tunnellier software on win7 system @home) and see the files though.

How safe is this type of connection .. any hacking possibilities of my office system?, though the tunnellier lists about so many encrypter software.

thanks in advance

[bodhi.zazen]

If you are looking to log in from windows , take a look at putty and winscp

Use keys and disable password authentication to secure your ssh connection

[pete_1967]

Quote:

Originally Posted by schamarthi

I am currently working on a linux (fedora 15) machine in my institute. I have a win7 OS at home with bitwise tunnellier software.

I would like to transfer some files from my office system to home system using the ssh connection(like ftp). can some one guide me about the steps in this regard, i can log into my office system (from bitwise tunnellier software on win7 system @home) and see the files though.

How safe is this type of connection .. any hacking possibilities of my office system?, though the tunnellier lists about so many encrypter software.

thanks in advance

SSH and SCP use encrypted connection so there's nothing "unsafe" in using either - they are pretty much standard way to access remote machines securely. As bodhi.zazen mentions, as long as you have sshd properly setup on your Fedora machine, it's the safest way to access your machine remotely. So, use only key based authentication, disable root login in sshd and open port 22 in your Fedora's firewall and you're good to go.

You can safely ignore bodhi.zazen's advice about Putty and WinSCP, Bitwise Tunnelier is fine program and there is no real reason why shouldn't use it. Nothing against Putty nor WinSCP, but there's no point in giving that kind of advice when user already has proper tools for the job.

So schamarthi, do bit of homework on how to setup up secure ssh connection (you find plenty of info in these forums alone) and off you go!

P.S. Note that SCP is 2 way protocol, you can as easily upload files to your Fedora computer as you can download from it.

[stevea]

The connection between systems for ssh is remarkably secure. The weak point is in authentication to create the connection. So as bodhi.z' says - use KEYs and disable password logins. Once you setup the keys on your LAN you can set these lines at the TOP of the /etc/sshd_config file:
ChallengeResponseAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
then restart the service ....
sudo service sshd restart

After you do that the you can safely open port 22 (or other forwarded port) on your firewall and home router.

Note that there are a lot of script kiddies who will try to hack ssh password account on port 22 especially. They can't touch a key login scheme.

Then you can carry the half-key to work on a USB key and use it in putty or whatever.

If that key is ever compromised you should eliminate the corresponding keys on your system immediately.

---------- Post added at 12:27 PM ---------- Previous post was at 12:22 PM ----------

I'm not very impressed with the common "disable root login" advice. In nearly every end-user PC *ALL* the information we want to secure is available to the couple user accounts. If someone cracks the 'stevea' account on my systems then they can do 99.8% of all the damage possible.

[pete_1967]

Quote:

Originally Posted by stevea

I'm not very impressed with the common "disable root login" advice. In nearly every end-user PC *ALL* the information we want to secure is available to the couple user accounts. If someone cracks the 'stevea' account on my systems then they can do 99.8% of all the damage possible.

Yes, they can damage your personal data, but it's that 0.2% that is the dangerous bit: that 0.2% includes them gaining the control of your whole system.

They can install rootkits, modify system files and modify your logs to hide the fact that they are in your system, and that quickly turns 0.2% to 99.8% of the cost of damage they can cause.

Of course, disabling root login doesn't make it any harder to get into your system through ssh, but what it does is, once in, it makes gaining full control of your system a lot harder and increases your chances to detect them before they get that far.

Your files are most probably of no value to anyone, but gaining control of your machine has. It can be used as a part of a botnet, to send spam, store stolen CC details, become child porn server, used as staging platform for DDOS or further intrusion attempts and what not. And that's why pretty much any attack, brute force or any other kind, first targets system accounts, especially root, and not user accounts.

If they crack your user account, they still have to crack your root account. If they crack ssh credentials for root and can login with it, it's game over for you.

That's why you should disable rootlogins.

[bodhi.zazen]

Quote:

Originally Posted by stevea

I'm not very impressed with the common "disable root login" advice. In nearly every end-user PC *ALL* the information we want to secure is available to the couple user accounts. If someone cracks the 'stevea' account on my systems then they can do 99.8% of all the damage possible.

I tend to agree, so long as the root account / ssh login is secured, mainly by disabling password authentication. Root logins with keys or kerberos are, IMO, reasonably secure.

I would also agree, a lot of damage can be done from a user account, without the need for root access.

If one has access to an account that is allowed to escalate to root, either by su or sudo, root access is close behind anyways.

I think it is more important to learn to secure your ssh connections. ssh keys , disable password authentication (for ssh), and perhaps a few "simple" rules for iptables.

[schamarthi]

@stevea:

ChallengeResponseAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication no
RhostsRSAAuthentication no
then restart the service ....
sudo service sshd restart

I could do all these can I know how to generate a publickey for the remotehost and client? Steps if one can...If I can create @tunnelier(win7 PC), how to carry it 2 my remote Host (office system)

Thanks in advance

[bodhi.zazen]

generate a key with ssh-keygen. I am not sure how your application handles keys, you would need to read the documentation.

This is a set of notes I made several years ago when presenting ssh keys to my LUG :

http://bodhizazen.net/Tutorials/SSH_keys

[schamarthi]

Ha what I understood is

1. just open Bitvise-tunnelier in win7
2. generate a public key
3. save the key(export to some pen-drive or store in my win7 system )

4. log into the system(without disabling passwd authentication) from tunnelier and copy the key renaming it as rsa.pub in ./.ssh folder(be as user not su) . incorporate (as su) the above (in the thread) cautions on authentications.

5. disable the passwd authentication

6. logout of system (through tunnellier) close the tunnelier

7. login again through tunnelier and give the public-key for login again!

(this is only as a authentication that the incoming connection is a reliable not a eves-dropping act), then give use login and passwd to log into the remote system )

Is it right??!!