Dave wrote:

> Is it possible to set this up in any way so that the Sun will accept
> keyless logins

Oops, password less logins from home, not keyless ones!!

On Oct 15, 10:24 am, Dave wrote:
> Dave wrote:
> > Is it possible to set this up in any way so that the Sun will accept
> > keyless logins
>
> Oops, password less logins from home, not keyless ones!!


Hi Dave,

as you are windows+putty user, please read chapters 8 and 9 from putty
documentation:
http://the.earth.li/~sgtatham/putty/0.60/htmldoc/

then setup public key authentication and use putty agent for storing
your private keys. Now you dont need to type passwords at all, except
once for unlocking private key at computer start.

Program similarity:

Unix - ssh, ssh-keygen, ssh-agent
Windows - putty.exe, puttygen.exe, pageant.exe

Regards,

Daniel

On Oct 15, 9:05 am, Dave wrote:

>
> I thought of setting up password-less (host based) logins, which would
> be useful when the laptop is at home, to save the hassle of entering the
> password.

It's probably better to use ssh public key authentication for this.
You still need a password (a passphrase really) but if you use an
agent on the laptop (easy for pretty much any OS) you only need to
type it once per login session.

The vulnerabilities are that, while you're logged in, the agent has a
plaintext-equivalent version of your ssh key in memory, so if anyone
can snarf that then you're potentially in trouble. Without fairly
heroic precautions it's probably reasonably easy for someone who gets
hold of your laptop while you're logged in to grab the key, and you
have to beware of it ending up on disk via swap. I think if you wanted
really serious security you'd need to take this into account. But
worry about encrypting the laptop disk first, probably...

--tim

Daniel Brnak wrote:
> On Oct 15, 10:24 am, Dave wrote:
>> Dave wrote:
>>> Is it possible to set this up in any way so that the Sun will accept
>>> keyless logins
>> Oops, password less logins from home, not keyless ones!!
>
>
> Hi Dave,
>
> as you are windows+putty user, please read chapters 8 and 9 from putty
> documentation:
> http://the.earth.li/~sgtatham/putty/0.60/htmldoc/
>
> then setup public key authentication and use putty agent for storing
> your private keys. Now you dont need to type passwords at all, except
> once for unlocking private key at computer start.
>
> Program similarity:
>
> Unix - ssh, ssh-keygen, ssh-agent
> Windows - putty.exe, puttygen.exe, pageant.exe
>
> Regards,
>
> Daniel

Hi Daniel

I think you have missed my point a bit, but perhaps I am wrong.

I'm aware of how to set up logins without passwords using ssh-keygen and
copying the public key of one machine into $HOME/.ssh/authorized_keys of
the other. If one does that, with no pass phrase, it is possible to log
in with no password. (I've only done this on Unix, not Putty on Windows,
but I think the principles are going to be the same).

The problem with doing that on a laptop one takes out of the house is
the private key is not secure. Hence I don't do that.

I'm asking if it is possible to allow public-key authentication with no
pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
allow logins via public key with no passphrase if the machine is elsewhere.

Then I could have the convenience of not bothering with a password at
home, but the security of requiring one if outside the house.

Perhaps I did not make myself clear.

In comp.unix.solaris Dave wrote:
> Then I could have the convenience of not bothering with a password at
> home, but the security of requiring one if outside the house.

Setting up a host-based trust mechanism would be fairly trivial. But I
think it'd be fairly trivial to compromise as well, I believe. You're
asking your server to trust a particular FQDN/IP. I'm also assuming that
your home address isn't made particularly dynamic by your ISP.

Assuming you shut down your laptop properly before taking it out on the
town, then your private key is about as secure as your unlocking passphrase.
And I'd tend to trust that more than I'd rely on the integrity of your
DNS.

Personally, I think weakening your server security by establishing any
kind of trust relationship with an easily-stolen workstation, and yet
worrying about your private keys on that same workstation... is kind of
a conflict in goals.

--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/

On Oct 15, 12:52 pm, Dave wrote:

>
> I'm aware of how to set up logins without passwords using ssh-keygen and
> copying the public key of one machine into $HOME/.ssh/authorized_keys of
> the other. If one does that, with no pass phrase, it is possible to log
> in with no password. (I've only done this on Unix, not Putty on Windows,
> but I think the principles are going to be the same).
>

So, well, use a passphrase, and just don't run the agent if you're
away from home.

On Oct 15, 6:52 am, Dave wrote:
> I'm aware of how to set up logins without passwords using ssh-keygen and
> copying the public key of one machine into $HOME/.ssh/authorized_keys of
> the other. If one does that, with no pass phrase, it is possible to log
> in with no password. (I've only done this on Unix, not Putty on Windows,
> but I think the principles are going to be the same).

That's not how you do it. You *do* require a passphrase, and then use
ssh-agent at laptop startup to prompt you for the passphrase. ssh-
agent caches your passphrase and passes it along with every connection
you make. If someone steals your laptop (and assuming it was powered
off at the time), they won't know your passphrase and your keys are
secure.

Dave schrieb:
> I've got a Sun workstation running Solaris 10 at home with an SSH server
> . I also own a Vista laptop, which gets used at home, but also outside.
>
> While at home, I often log in to the Sun from the laptop using Putty and
> ssh. I enter the password each time.
>
> I thought of setting up password-less (host based) logins, which would
> be useful when the laptop is at home, to save the hassle of entering the
> password.
>
> But should I lose the laptop, I don't want anyone else being able to log
> into the Sun without a password.
>
> Is it possible to set this up in any way so that the Sun will accept
> keyless logins if the laptops IP is from my local LAN (192.168.0.x), but
> refuse to accept the logins without a password if the laptop is outside
> the LAN with a public IP address?
>
> If it is, how would I go about allowing login without a password if the
> laptop is at home, but not if it is outside?


a) tcp-wrapper: allow ssh from inside ip
b) new versions of sshd has options for matching address
c) use ipf
d) restrict key with from=x.x.x.x in authorized_keys
e) use ssh-agent and unload keys outside LAN
f) !!!! use a firewall !!!!

Wolfgang

On Oct 15, 1:52 pm, Dave wrote:
> Daniel Brnak wrote:
> > On Oct 15, 10:24 am, Dave wrote:
> >> Dave wrote:
> >>> Is it possible to set this up in any way so that the Sun will accept
> >>> keyless logins
> >> Oops, password less logins from home, not keyless ones!!
>
> > Hi Dave,
>
> > as you are windows+putty user, please read chapters 8 and 9 from putty
> > documentation:
> >http://the.earth.li/~sgtatham/putty/0.60/htmldoc/
>
> > then setup public key authentication and use putty agent for storing
> > your private keys. Now you dont need to type passwords at all, except
> > once for unlocking private key at computer start.
>
> > Program similarity:
>
> > Unix - ssh, ssh-keygen, ssh-agent
> > Windows - putty.exe, puttygen.exe, pageant.exe
>
> > Regards,
>
> > Daniel
>
> Hi Daniel
>
> I think you have missed my point a bit, but perhaps I am wrong.
>
> I'm aware of how to set up logins without passwords using ssh-keygen and
> copying the public key of one machine into $HOME/.ssh/authorized_keys of
> the other. If one does that, with no pass phrase, it is possible to log
> in with no password. (I've only done this on Unix, not Putty on Windows,
> but I think the principles are going to be the same).
>
> The problem with doing that on a laptop one takes out of the house is
> the private key is not secure. Hence I don't do that.
>
> I'm asking if it is possible to allow public-key authentication with no
> pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
> allow logins via public key with no passphrase if the machine is elsewhere.
>
> Then I could have the convenience of not bothering with a password at
> home, but the security of requiring one if outside the house.
>
> Perhaps I did not make myself clear.


Hi Dave,

there were very good suggestions and opinions posted by hume, tim,
jim, wayne and wolfgang, please read and think about them seriously.

> The problem with doing that on a laptop one takes out of the house is
> the private key is not secure. Hence I don't do that.

Your statement applies for private keys not secured by pass-phrase or
not restricted for usage.

To just answer your question
- setup public key SSH authentication between notebook and server, you
already know how to do this
- edit $HOME/.ssh/authorized_keys on your server so it starts with:
fom="192.168.0.*" ssh-rsa AAAAB3N....

Now coresponding private key will have restricted usage from selected
addresses == server will only ask you for user password, if connecting
not from LAN.

Regards,

Daniel


PS: I like your motivation for securing access to your servers.
Practically, I dont make personal private keys without pass-phrase (I
am connecting to servers most from internet, often different IPs). For
easy management of private keys, secured by pass-phrase, programs like
ssh-agent or Putty agent were introduced (so if my laptop is stolen,
key is useless). Also I use VPNs a lot (openvpn).

> fom="192.168.0.*" ssh-rsa AAAAB3N....

typo, should be:
from="192.168.0.*" ssh-rsa AAAAB3N....

daniel

On Oct 16, 1:34 am, Daniel Brnak wrote:
> On Oct 15, 1:52 pm, Dave wrote:
>
>
>
> > Daniel Brnak wrote:
> > > On Oct 15, 10:24 am, Dave wrote:
> > >> Dave wrote:
> > >>> Is it possible to set this up in any way so that the Sun will accept
> > >>> keyless logins
> > >> Oops, password less logins from home, not keyless ones!!
>
> > > Hi Dave,
>
> > > as you are windows+putty user, please read chapters 8 and 9 from putty
> > > documentation:
> > >http://the.earth.li/~sgtatham/putty/0.60/htmldoc/
>
> > > then setup public key authentication and use putty agent for storing
> > > your private keys. Now you dont need to type passwords at all, except
> > > once for unlocking private key at computer start.
>
> > > Program similarity:
>
> > > Unix - ssh, ssh-keygen, ssh-agent
> > > Windows - putty.exe, puttygen.exe, pageant.exe
>
> > > Regards,
>
> > > Daniel
>
> > Hi Daniel
>
> > I think you have missed my point a bit, but perhaps I am wrong.
>
> > I'm aware of how to set up logins without passwords using ssh-keygen and
> > copying the public key of one machine into $HOME/.ssh/authorized_keys of
> > the other. If one does that, with no pass phrase, it is possible to log
> > in with no password. (I've only done this on Unix, not Putty on Windows,
> > but I think the principles are going to be the same).
>
> > The problem with doing that on a laptop one takes out of the house is
> > the private key is not secure. Hence I don't do that.
>
> > I'm asking if it is possible to allow public-key authentication with no
> > pass phrase if the machine is on the local LAN (IP=192.168.0.x) but not
> > allow logins via public key with no passphrase if the machine is elsewhere.
>
> > Then I could have the convenience of not bothering with a password at
> > home, but the security of requiring one if outside the house.
>
> > Perhaps I did not make myself clear.
>
> Hi Dave,
>
> there were very good suggestions and opinions posted by hume, tim,
> jim, wayne and wolfgang, please read and think about them seriously.
>
> > The problem with doing that on a laptop one takes out of the house is
> > the private key is not secure. Hence I don't do that.
>
> Your statement applies for private keys not secured by pass-phrase or
> not restricted for usage.
>
> To just answer your question
> - setup public key SSH authentication between notebook and server, you
> already know how to do this
> - edit $HOME/.ssh/authorized_keys on your server so it starts with:
> fom="192.168.0.*" ssh-rsa AAAAB3N....

typo, it should be
from="192.168.0.*" ssh-rsa AAAAB3N....

daniel

Daniel Break wrote:

> typo, it should be
> from="192.168.0.*" ssh-rsa AAAAB3N....
>
> daniel
>

Thanks,I was not aware it was possible to add a 'from' in the
$HOME/.ssh/authorized_keys. In theory at least, that would do just what
I want, permitting the public-key logins from 192.168.0.x, but at the
same time disallowing them from outside the LAN. However, as someone
else pointed out, it does rely on the DNS telling the truth.

But I can't actually think of any mechanism someone outside the LAN
(lets say at address 222.222.222.222), could break the security. They
would in some way have to:

1) Find the laptop
2) Know how to use SSH
3) Without first logging in the Sun server, they would need to fool the
Sun server into thinking the laptop's SSH client is on the 192.168.0.2
subnet, so allowing public-key logins. But at the same time getting the
Sun to send back data to 222.222.222.222. I can see with access to the
DNS servers of my ISP they could fool the Sun into thinking the client
may be at a 192.168.0.x IP, but I would expect the Sun simply to reply
to 192.168.0.x, rather than 222.222.222.222.

That would appear to be a perfect solution, but perhaps I have
overlooked a flaw.

For 95% of the time, my firewall on the Sun will only permit SSH
connections from the LAN and one public IP address. However, there are
times when I am out of the country and need to allow SSH access from any
public IP address. In which case, the firewall's rule sets is changed to
allow access from any public IP. That would tend to reduce even more the
chances of someone being able to get in without a key or a password. But
as I say, this is only 95% of the time, not 100%.

It seems like your "from" in $HOME/.ssh/authorized_keys would do all I
want.

Any comments before I enable this?

Hi,

> Thanks,I was not aware it was possible to add a 'from' in the
> $HOME/.ssh/authorized_keys. In theory at least, that would do just what
> I want, permitting the public-key logins from 192.168.0.x, but at the
> same time disallowing them from outside the LAN. However, as someone
> else pointed out, it does rely on the DNS telling the truth.

To correct, it doesnt rely on DNS at all. Dave, just dont forget to
regularly update/patch your solaris ssh server and you will be fine.

Daniel

On Oct 16, 3:54 am, Dave wrote:
>
> Any comments before I enable this?

Yes: Keys without passphrases are asking for trouble. The only time
such a thing would be permissible is if you had to set up automated
secure communication between hosts for something like a batch
process. If you're logging in interactively, your keys should have
passphrases and you should be using ssh-agent if you want to cache the
passphrases.