Heh. Heh. That's exactly the way I do it, for exactly the same paranoid reason.Originally Posted by bodhi.zazen
But he can also do the keygen and transfer the key over the Internet (using ssh-copy-id), as he was asking. Only problem is, I find that the minute (literally) that my openSSH is unprotected, I have a ton of port scanning and brute-force password cracking attempts for the SSH port. God forbid if I don't have at least a strong password on the OpenSSH connection initially! A side-result of brute-force password cracking attempts is that the server loses time responding to them. (In this way it is somewhat similar to a Denial of Service attack).
I indeed have used ssh-copy-id over a password-protected SSH connection (when the user isn't in physical proximity), but I sure do it quickly and then turn off the password authentication (in the SSH config file) immediately after transferring the key.
For the most part, though, I have gone to the flash drive method for transmitting keypair data, as well.
Just as a plug, I think knockd is a great little security device for people who want port security.
I don't use port 22 for my SSH connections, anymore, but have changed it (by editing the ssh config file on the server) to a non-standard port.
Using knockd, I can hide that port and open it only when the correct sequence of port requests is made from the Internet. This keeps my SSH port always hidden. Sure, there's a miniscule additional negotation time built-in, but for the security it affords, it's worth it. Further, hiding the port almost completely halts Denial of Service attacks. No attacker program has the patience to probe ports in varying sequences in order to try to open a single non-standard port on which it can then attempt a brute force attack for an unknown type of server.
Too many wolves at the Internet door these days. Best security practices are crucial.
Adv Reply
Bookmarks