Password-less login from LAN, but not from public IP ?? - SSH

This is a discussion on Password-less login from LAN, but not from public IP ?? - SSH ; I've got a Sun workstation running Solaris 10 at home with an SSH server .. I also own a Vista laptop, which gets used at home, but also outside. While at home, I often log in to the Sun from ...

+ Reply to Thread
Results 1 to 15 of 15

Thread: Password-less login from LAN, but not from public IP ??

  1. Password-less login from LAN, but not from public IP ??

    I've got a Sun workstation running Solaris 10 at home with an SSH server
    .. I also own a Vista laptop, which gets used at home, but also outside.

    While at home, I often log in to the Sun from the laptop using Putty and
    ssh. I enter the password each time.

    I thought of setting up password-less (host based) logins, which would
    be useful when the laptop is at home, to save the hassle of entering the
    password.

    But should I lose the laptop, I don't want anyone else being able to log
    into the Sun without a password.

    Is it possible to set this up in any way so that the Sun will accept
    keyless logins if the laptops IP is from my local LAN (192.168.0.x), but
    refuse to accept the logins without a password if the laptop is outside
    the LAN with a public IP address?

    If it is, how would I go about allowing login without a password if the
    laptop is at home, but not if it is outside?

  2. Re: Password-less login from LAN, but not from public IP ??

    Dave wrote:

    > Is it possible to set this up in any way so that the Sun will accept
    > keyless logins


    Oops, password less logins from home, not keyless ones!!


  3. Re: Password-less login from LAN, but not from public IP ??

    On Oct 15, 10:24 am, Dave wrote:
    > Dave wrote:
    > > Is it possible to set this up in any way so that the Sun will accept
    > > keyless logins

    >
    > Oops, password less logins from home, not keyless ones!!



    Hi Dave,

    as you are windows+putty user, please read chapters 8 and 9 from putty
    documentation:
    http://the.earth.li/~sgtatham/putty/0.60/htmldoc/

    then setup public key authentication and use putty agent for storing
    your private keys. Now you dont need to type passwords at all, except
    once for unlocking private key at computer start.

    Program similarity:

    Unix - ssh, ssh-keygen, ssh-agent
    Windows - putty.exe, puttygen.exe, pageant.exe

    Regards,

    Daniel



  4. Re: Password-less login from LAN, but not from public IP ??

    On Oct 15, 9:05 am, Dave wrote:

    >
    > I thought of setting up password-less (host based) logins, which would
    > be useful when the laptop is at home, to save the hassle of entering the
    > password.


    It's probably better to use ssh public key authentication for this.
    You still need a password (a passphrase really) but if you use an
    agent on the laptop (easy for pretty much any OS) you only need to
    type it once per login session.

    The vulnerabilities are that, while you're logged in, the agent has a
    plaintext-equivalent version of your ssh key in memory, so if anyone
    can snarf that then you're potentially in trouble. Without fairly
    heroic precautions it's probably reasonably easy for someone who gets
    hold of your laptop while you're logged in to grab the key, and you
    have to beware of it ending up on disk via swap. I think if you wanted
    really serious security you'd need to take this into account. But
    worry about encrypting the laptop disk first, probably...

    --tim


  5. Re: Password-less login from LAN, but not from public IP ??

    Daniel Brnak wrote:
    > On Oct 15, 10:24 am, Dave wrote:
    >> Dave wrote:
    >>> Is it possible to set this up in any way so that the Sun will accept
    >>> keyless logins

    >> Oops, password less logins from home, not keyless ones!!

    >
    >
    > Hi Dave,
    >
    > as you are windows+putty user, please read chapters 8 and 9 from putty
    > documentation:
    > http://the.earth.li/~sgtatham/putty/0.60/htmldoc/
    >
    > then setup public key authentication and use putty agent for storing
    > your private keys. Now you dont need to type passwords at all, except
    > once for unlocking private key at computer start.
    >
    > Program similarity:
    >
    > Unix - ssh, ssh-keygen, ssh-agent
    > Windows - putty.exe, puttygen.exe, pageant.exe
    >
    > Regards,
    >
    > Daniel


    Hi Daniel

    I think you have missed my point a bit, but perhaps I am wrong.

    I'm aware of how to set up logins without passwords using ssh-keygen and
    copying the public key of one machine into $HOME/.ssh/authorized_keys of
    the other. If one does that, with no pass phrase, it is possible to log
    in with no password. (I've only done this on Unix, not Putty on Windows,
    but I think the principles are going to be the same).

    The problem with doing that on a laptop one takes out of the house is
    the private key is not secure. Hence I don't do that.

    I'm asking if it is possible to allow public-key authentication with no
    pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
    allow logins via public key with no passphrase if the machine is elsewhere.

    Then I could have the convenience of not bothering with a password at
    home, but the security of requiring one if outside the house.

    Perhaps I did not make myself clear.


  6. Re: Password-less login from LAN, but not from public IP ??

    In comp.unix.solaris Dave wrote:
    > Then I could have the convenience of not bothering with a password at
    > home, but the security of requiring one if outside the house.


    Setting up a host-based trust mechanism would be fairly trivial. But I
    think it'd be fairly trivial to compromise as well, I believe. You're
    asking your server to trust a particular FQDN/IP. I'm also assuming that
    your home address isn't made particularly dynamic by your ISP.

    Assuming you shut down your laptop properly before taking it out on the
    town, then your private key is about as secure as your unlocking passphrase.
    And I'd tend to trust that more than I'd rely on the integrity of your
    DNS.

    Personally, I think weakening your server security by establishing any
    kind of trust relationship with an easily-stolen workstation, and yet
    worrying about your private keys on that same workstation... is kind of
    a conflict in goals.

    --
    Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

  7. Re: Password-less login from LAN, but not from public IP ??

    On Oct 15, 12:52 pm, Dave wrote:

    >
    > I'm aware of how to set up logins without passwords using ssh-keygen and
    > copying the public key of one machine into $HOME/.ssh/authorized_keys of
    > the other. If one does that, with no pass phrase, it is possible to log
    > in with no password. (I've only done this on Unix, not Putty on Windows,
    > but I think the principles are going to be the same).
    >


    So, well, use a passphrase, and just don't run the agent if you're
    away from home.


  8. Re: Password-less login from LAN, but not from public IP ??

    On Oct 15, 6:52 am, Dave wrote:
    > I'm aware of how to set up logins without passwords using ssh-keygen and
    > copying the public key of one machine into $HOME/.ssh/authorized_keys of
    > the other. If one does that, with no pass phrase, it is possible to log
    > in with no password. (I've only done this on Unix, not Putty on Windows,
    > but I think the principles are going to be the same).


    That's not how you do it. You *do* require a passphrase, and then use
    ssh-agent at laptop startup to prompt you for the passphrase. ssh-
    agent caches your passphrase and passes it along with every connection
    you make. If someone steals your laptop (and assuming it was powered
    off at the time), they won't know your passphrase and your keys are
    secure.


  9. Re: Password-less login from LAN, but not from public IP ??

    Dave schrieb:
    > I've got a Sun workstation running Solaris 10 at home with an SSH server
    > . I also own a Vista laptop, which gets used at home, but also outside.
    >
    > While at home, I often log in to the Sun from the laptop using Putty and
    > ssh. I enter the password each time.
    >
    > I thought of setting up password-less (host based) logins, which would
    > be useful when the laptop is at home, to save the hassle of entering the
    > password.
    >
    > But should I lose the laptop, I don't want anyone else being able to log
    > into the Sun without a password.
    >
    > Is it possible to set this up in any way so that the Sun will accept
    > keyless logins if the laptops IP is from my local LAN (192.168.0.x), but
    > refuse to accept the logins without a password if the laptop is outside
    > the LAN with a public IP address?
    >
    > If it is, how would I go about allowing login without a password if the
    > laptop is at home, but not if it is outside?



    a) tcp-wrapper: allow ssh from inside ip
    b) new versions of sshd has options for matching address
    c) use ipf
    d) restrict key with from=x.x.x.x in authorized_keys
    e) use ssh-agent and unload keys outside LAN
    f) !!!! use a firewall !!!!

    Wolfgang

  10. Re: Password-less login from LAN, but not from public IP ??

    On Oct 15, 1:52 pm, Dave wrote:
    > Daniel Brnak wrote:
    > > On Oct 15, 10:24 am, Dave wrote:
    > >> Dave wrote:
    > >>> Is it possible to set this up in any way so that the Sun will accept
    > >>> keyless logins
    > >> Oops, password less logins from home, not keyless ones!!

    >
    > > Hi Dave,

    >
    > > as you are windows+putty user, please read chapters 8 and 9 from putty
    > > documentation:
    > >http://the.earth.li/~sgtatham/putty/0.60/htmldoc/

    >
    > > then setup public key authentication and use putty agent for storing
    > > your private keys. Now you dont need to type passwords at all, except
    > > once for unlocking private key at computer start.

    >
    > > Program similarity:

    >
    > > Unix - ssh, ssh-keygen, ssh-agent
    > > Windows - putty.exe, puttygen.exe, pageant.exe

    >
    > > Regards,

    >
    > > Daniel

    >
    > Hi Daniel
    >
    > I think you have missed my point a bit, but perhaps I am wrong.
    >
    > I'm aware of how to set up logins without passwords using ssh-keygen and
    > copying the public key of one machine into $HOME/.ssh/authorized_keys of
    > the other. If one does that, with no pass phrase, it is possible to log
    > in with no password. (I've only done this on Unix, not Putty on Windows,
    > but I think the principles are going to be the same).
    >
    > The problem with doing that on a laptop one takes out of the house is
    > the private key is not secure. Hence I don't do that.
    >
    > I'm asking if it is possible to allow public-key authentication with no
    > pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
    > allow logins via public key with no passphrase if the machine is elsewhere.
    >
    > Then I could have the convenience of not bothering with a password at
    > home, but the security of requiring one if outside the house.
    >
    > Perhaps I did not make myself clear.



    Hi Dave,

    there were very good suggestions and opinions posted by hume, tim,
    jim, wayne and wolfgang, please read and think about them seriously.

    > The problem with doing that on a laptop one takes out of the house is
    > the private key is not secure. Hence I don't do that.


    Your statement applies for private keys not secured by pass-phrase or
    not restricted for usage.

    To just answer your question
    - setup public key SSH authentication between notebook and server, you
    already know how to do this
    - edit $HOME/.ssh/authorized_keys on your server so it starts with:
    fom="192.168.0.*" ssh-rsa AAAAB3N....

    Now coresponding private key will have restricted usage from selected
    addresses == server will only ask you for user password, if connecting
    not from LAN.

    Regards,

    Daniel


    PS: I like your motivation for securing access to your servers.
    Practically, I dont make personal private keys without pass-phrase (I
    am connecting to servers most from internet, often different IPs). For
    easy management of private keys, secured by pass-phrase, programs like
    ssh-agent or Putty agent were introduced (so if my laptop is stolen,
    key is useless). Also I use VPNs a lot (openvpn).


  11. Re: Password-less login from LAN, but not from public IP ??

    > fom="192.168.0.*" ssh-rsa AAAAB3N....

    typo, should be:
    from="192.168.0.*" ssh-rsa AAAAB3N....

    daniel


  12. Re: Password-less login from LAN, but not from public IP ??

    On Oct 16, 1:34 am, Daniel Brnak wrote:
    > On Oct 15, 1:52 pm, Dave wrote:
    >
    >
    >
    > > Daniel Brnak wrote:
    > > > On Oct 15, 10:24 am, Dave wrote:
    > > >> Dave wrote:
    > > >>> Is it possible to set this up in any way so that the Sun will accept
    > > >>> keyless logins
    > > >> Oops, password less logins from home, not keyless ones!!

    >
    > > > Hi Dave,

    >
    > > > as you are windows+putty user, please read chapters 8 and 9 from putty
    > > > documentation:
    > > >http://the.earth.li/~sgtatham/putty/0.60/htmldoc/

    >
    > > > then setup public key authentication and use putty agent for storing
    > > > your private keys. Now you dont need to type passwords at all, except
    > > > once for unlocking private key at computer start.

    >
    > > > Program similarity:

    >
    > > > Unix - ssh, ssh-keygen, ssh-agent
    > > > Windows - putty.exe, puttygen.exe, pageant.exe

    >
    > > > Regards,

    >
    > > > Daniel

    >
    > > Hi Daniel

    >
    > > I think you have missed my point a bit, but perhaps I am wrong.

    >
    > > I'm aware of how to set up logins without passwords using ssh-keygen and
    > > copying the public key of one machine into $HOME/.ssh/authorized_keys of
    > > the other. If one does that, with no pass phrase, it is possible to log
    > > in with no password. (I've only done this on Unix, not Putty on Windows,
    > > but I think the principles are going to be the same).

    >
    > > The problem with doing that on a laptop one takes out of the house is
    > > the private key is not secure. Hence I don't do that.

    >
    > > I'm asking if it is possible to allow public-key authentication with no
    > > pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
    > > allow logins via public key with no passphrase if the machine is elsewhere.

    >
    > > Then I could have the convenience of not bothering with a password at
    > > home, but the security of requiring one if outside the house.

    >
    > > Perhaps I did not make myself clear.

    >
    > Hi Dave,
    >
    > there were very good suggestions and opinions posted by hume, tim,
    > jim, wayne and wolfgang, please read and think about them seriously.
    >
    > > The problem with doing that on a laptop one takes out of the house is
    > > the private key is not secure. Hence I don't do that.

    >
    > Your statement applies for private keys not secured by pass-phrase or
    > not restricted for usage.
    >
    > To just answer your question
    > - setup public key SSH authentication between notebook and server, you
    > already know how to do this
    > - edit $HOME/.ssh/authorized_keys on your server so it starts with:
    > fom="192.168.0.*" ssh-rsa AAAAB3N....


    typo, it should be
    from="192.168.0.*" ssh-rsa AAAAB3N....

    daniel


  13. Re: Password-less login from LAN, but not from public IP ??

    Daniel Break wrote:

    > typo, it should be
    > from="192.168.0.*" ssh-rsa AAAAB3N....
    >
    > daniel
    >


    Thanks,I was not aware it was possible to add a 'from' in the
    $HOME/.ssh/authorized_keys. In theory at least, that would do just what
    I want, permitting the public-key logins from 192.168.0.x, but at the
    same time disallowing them from outside the LAN. However, as someone
    else pointed out, it does rely on the DNS telling the truth.

    But I can't actually think of any mechanism someone outside the LAN
    (lets say at address 222.222.222.222), could break the security. They
    would in some way have to:

    1) Find the laptop
    2) Know how to use SSH
    3) Without first logging in the Sun server, they would need to fool the
    Sun server into thinking the laptop's SSH client is on the 192.168.0.2
    subnet, so allowing public-key logins. But at the same time getting the
    Sun to send back data to 222.222.222.222. I can see with access to the
    DNS servers of my ISP they could fool the Sun into thinking the client
    may be at a 192.168.0.x IP, but I would expect the Sun simply to reply
    to 192.168.0.x, rather than 222.222.222.222.

    That would appear to be a perfect solution, but perhaps I have
    overlooked a flaw.

    For 95% of the time, my firewall on the Sun will only permit SSH
    connections from the LAN and one public IP address. However, there are
    times when I am out of the country and need to allow SSH access from any
    public IP address. In which case, the firewall's rule sets is changed to
    allow access from any public IP. That would tend to reduce even more the
    chances of someone being able to get in without a key or a password. But
    as I say, this is only 95% of the time, not 100%.

    It seems like your "from" in $HOME/.ssh/authorized_keys would do all I
    want.

    Any comments before I enable this?

  14. Re: Password-less login from LAN, but not from public IP ??

    Hi,

    > Thanks,I was not aware it was possible to add a 'from' in the
    > $HOME/.ssh/authorized_keys. In theory at least, that would do just what
    > I want, permitting the public-key logins from 192.168.0.x, but at the
    > same time disallowing them from outside the LAN. However, as someone
    > else pointed out, it does rely on the DNS telling the truth.


    To correct, it doesnt rely on DNS at all. Dave, just dont forget to
    regularly update/patch your solaris ssh server and you will be fine.

    Daniel


  15. Re: Password-less login from LAN, but not from public IP ??

    On Oct 16, 3:54 am, Dave wrote:
    >
    > Any comments before I enable this?


    Yes: Keys without passphrases are asking for trouble. The only time
    such a thing would be permissible is if you had to set up automated
    secure communication between hosts for something like a batch
    process. If you're logging in interactively, your keys should have
    passphrases and you should be using ssh-agent if you want to cache the
    passphrases.


+ Reply to Thread