[lug] stupid ssh config question

Stephen Kraus ub3ratl4sf00 at gmail.com
Thu Jun 15 11:15:51 MDT 2017


Ideally, the new goal is to isolate internal networks from enterprise
servers now as well, so that you have to VPN even if you are on a corporate
network and wish to access non-exposed services.

I.e.: Last company I set up, their file share and Domain was the only
things on the server accessible on the corporate network, if you wanted to
get SSH/RDP access, you had to VPN into the server network.

On Thu, Jun 15, 2017 at 12:31 PM, Steven A Hart <steven.hart at colorado.edu>
wrote:

> Dan,  I'll look a bit more into this but for right now, I can ssh to the
> server normally as any account using normal passwords (which is what I
> want), and when logged in as root on the server, I can do a passwordless
> login to root on the client.
>
> Jonathan,  Yes, I'd be worried if I had the ssh ports open to the world
> but they are all blocked.  Someone would have to be on campus at CU to try
> any brute force attacks.  I will look into firming this up security-wise
>  regardess but my main concern was logging into the server normally.
>
> Thanks all!
>
> Steve
>
> On Thu, Jun 15, 2017 at 10:26 AM, Dan Mackin <dan at appliedtrust.com> wrote:
>
>> You should be able to have pass auth set to no and still use keys. In
>> fact, it's recommended if you're going to use keys. Otherwise you're
>> bypassing keypair auth and just using pass auth. If all you changed was
>> setting pass auth to yes, you're likely now just bypassing keypair auth.
>> -Dan
>>
>> On Thu, Jun 15, 2017 at 10:24 AM, Steven A Hart <steven.hart at colorado.edu
>> > wrote:
>>
>>> Might have just found the problem.  I had PasswordAuthentication set to
>>> no.  Like I said, stupid mistake.
>>>
>>> I know setting things up this way is not great, but since this is not
>>> open to the outside world, I think it's ok for now.
>>>
>>> Thanks for the help everyone.  Sorry to be a bother.
>>>
>>> Steve
>>>
>>> On Thu, Jun 15, 2017 at 10:17 AM, Steven A Hart <
>>> steven.hart at colorado.edu> wrote:
>>>
>>>> Stephen, agreed.
>>>>
>>>> David, id_rsa is located in /root/.ssh/
>>>>
>>>> On Thu, Jun 15, 2017 at 10:15 AM, david <dafr at dafr.us> wrote:
>>>>
>>>>> On 06/15/2017 09:02 AM, Steven A Hart wrote:
>>>>>
>>>>> So on the server I generated the keys resulting in id_rsa and
>>>>>> id_rsa.pub
>>>>>> being created.  I moved  id_rsa.pub to authorized_keys and copied that
>>>>>> over to the root account on the client in /root/.ssh.  Sure enough,
>>>>>> the
>>>>>> ssh works from server to client without password.
>>>>>>
>>>>>> The problem now is that when I ssh from anywhere to the server as
>>>>>> either
>>>>>> root or my admin account, I get:
>>>>>>
>>>>>> Permission denied (publickey).
>>>>>>
>>>>>> I know I made a stupid mistake somewhere, I just need someone to point
>>>>>> and say "look there stupid!"
>>>>>>
>>>>>
>>>>>
>>>>> Have you copied id_rsa to the appropriate home account on the
>>>>> originating server? Without that, I would expect the error you present
>>>>> above.
>>>>>
>>>>> dafr
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Web Page:  http://lug.boulder.co.us
>>>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>>>> Join us on IRC: irc.hackingsociety.org port=6667
>>>>> channel=#hackingsociety
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Hart
>>>> Systems Administrator
>>>> Colorado Center for Astrodynamics Research
>>>> University of Colorado Boulder
>>>> Steven.Hart at colorado.edu
>>>> (303)492-8109 <(303)%20492-8109>
>>>>
>>>
>>>
>>>
>>> --
>>> Steve Hart
>>> Systems Administrator
>>> Colorado Center for Astrodynamics Research
>>> University of Colorado Boulder
>>> Steven.Hart at colorado.edu
>>> (303)492-8109 <(303)%20492-8109>
>>>
>>> _______________________________________________
>>> Web Page:  http://lug.boulder.co.us
>>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>>
>>
>>
>>
>> --
>> ------
>>  Dan Mackin - http://appliedtrust.com/dan
>>  AppliedTrust - http://appliedtrust.com - 303.245.4516 <(303)%20245-4516>
>>
>
>
>
> --
> Steve Hart
> Systems Administrator
> Colorado Center for Astrodynamics Research
> University of Colorado Boulder
> Steven.Hart at colorado.edu
> (303)492-8109 <(303)%20492-8109>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20170615/eba924e4/attachment.html>


More information about the LUG mailing list