Fedora Security :: Sshd With Both Certificate AND Password After Each Other?
Mar 9, 2011
I want to enable sshd from Internet, but I want to secure it as much as possible.Therefore, despite the fact that the service will run on a tcp port above 2000 to prevent most scans, I would like to :- First, force the use of a client certificate, to avoid brute force attack on my users/passwords- second force the use of a username/password to avoid someone having access to my system just by stealing my key..When I look at the configuration, it's possible to enable both, but one of them is sufficient to login, but I can't find how to make them both mandatory...
View 2 Replies
ADVERTISEMENT
Mar 28, 2010
Quote:
Code:
I've used these commands to generate my new keys and immediately got my sshd server running.
However, I now have the problem where the password is not being recognized and is repeatedly asked for.
View 2 Replies
View Related
Aug 10, 2010
I have a problem with sshd daemon on a target linux system:The system has only one user (root) without password.The sshd_config looks like:
Code:
Port 22
Protocol 2
[code]...
View 8 Replies
View Related
Sep 28, 2010
I have a site in India that needs to be accessed by our offices round the world. I have added AllowUsers lines for the static IP's in those offices. However, we also have a couple of people who travel and don't have static ip's. Is it possible to enable both AllowUsers for the offices and have certificate access for the others?
View 1 Replies
View Related
Apr 2, 2009
I am having issues with using OpenSSL. How do I view the currently used certificate? Also, do you know of a good site that has instructions on how to install a certificate. The previous user installed a GoDaddy cert for an FTP server and I need to update it because it's expiring real soon.
View 10 Replies
View Related
Jun 15, 2010
Got F13 installed yesterday, this afternoon I suddenly started getting Secure Connection Failed warnings. I'm not sure whose problem it is because it mentions uses an invalid security certificate.This certificate is only valid for *.opendns.com(Error Code: ssl_error_bad_cert_domain)It continues to say that someone could be impersonating the actual server. I am still receiving mail through google and my google calendars seem to be working. I do use OpenDNS for my DNS instead of my ISPs (Comcast which would very often slow down) and obviously I use IMAP mail with google on Thunderbird. So is it google, or OpenDNS, or Thunderbird that has a problem. Firefox does not seem to have a problem
View 2 Replies
View Related
Apr 14, 2011
How can I add an existing certificate (pem format) as trusted in Fedora via the command line?Do I have to copy the files to a certain keystore? Where does Fedora store the trusted certificates
View 2 Replies
View Related
Feb 18, 2011
I have an sshd server up and running (F13 64bit) I'd like to connect to a pc that's behind a firewall using ssh tunnelling, so I have something like
ssh -R 1234:127.0.0.1:22 myuser@mypc
then from mypc I can succesfully login to the remote pc. I have just une question. How can I list the ssh active connections and the forwarded ports ?
I've only got to
netstat -tunva
but this returns only (filtered)
tcp 0 0 127.0.0.1:1234 0.0.0.0:* LISTEN
tcp 0 0 ::ffff:172.16.0.XXX:22 ::ffff:172.16.1.XXX:60744 ESTABLISHED
Now I know that the first is the tunnel end but how can I connect the two lines if I don't know the port number (ie: someone else estabilieshes another tunnel)
View 4 Replies
View Related
Mar 6, 2010
I'm trying to setup ssh access on my Fedora 12 laptop. I get the following error message in /var/log/secure when I try to login from another machine using ssh and the login is denied:
Code:
sshd[3025]: error: Could not get shadow information for <user>
sshd[3025]: Failed password for <user> from <ip> port <port> ssh2
If I do a 'setenforce 0' I can login and no error is logged.
View 10 Replies
View Related
May 25, 2011
Tried google and searching this forum to no avail. Under Fedora 14, there is an selinux policy which blocks sshd from making outbound connections on port 80 or 443. This can occur when a client box tries to tunnel through the ssh connection for encrypted access to the web.
While I did manage to allow this happen by creating a permissive domain for sshd with this command:
Code:
The preferred way would be to allow sshd to make connection on other ports with a similar command that does not seem to work:
Code:
Is this the correct way of allowing an outbound port connection for the sshd daemon?
View 2 Replies
View Related
Jan 4, 2010
I am trying to renew the existing SSL certificate by using genkey for our shopping website. i havent seen any information how to generate a new certificate for. Is any one could tell me how to change SSL certificates?
View 4 Replies
View Related
Oct 13, 2010
I set up a debian lenny in vmware on my windows machine. The network interface is set to bridged, so the virtual machine is connected directly to the university network i am connected to. I want to be able to ssh into the vm.I installed sshd via "apt-get install ssh", generated a key pair with puttygen and copied the public part to "/home/user/.ssh/authorized_keys", set rights to 600 and then tried to disable password authentication completely, following the "securing debian" documentation.this is how my /etc/ssh/sshd_config looks now:
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
[code]...
View 7 Replies
View Related
Jul 18, 2011
I'm trying to figure out why my industrial appliance (x86, running kernel 2.6.21.7 and OpenSSH_4.3p2 / OpenSSL 0.9.7m) accepts ssh connections without asking for a password (even for root)!When I log on to the local console as root I have to enter a password but strangely this prompt won't appear using a ssh connection (although I'm not using any client certificates).Of course that not acceptable but I just can't find the related configuration entry to disable this "password-less" authentification.Is this related to the sshd or has it something to do with the PAM module?
- Update ->
While looking at /var/log/secure, I've found the following lines:
Jul 18 16:55:07 localhost sshd[5712]: Accepted none for root from XXX port 6393 ssh2
[code]....
View 8 Replies
View Related
Mar 9, 2010
I have a RHEL server with users logging in via ssh. I want to start using public keys instead of passwords with ssh. But public key is as good as a rotten tomato if it is unpassphrased and I cannot guarantee that all users will use passphrases. Therefore I will generate both private and public key on the server and will distribute the private key to the user via user-friendly web interface and thats where I will force them to use passphrase. I know they can change later the passphrase or remove it totally but my users are not so advanced.
So now I am trying to setup a centralized authorized_keys file with to be able to make them only root writable so they cannot put their own public keys on the server , it will be handled by scripts. Now the actual problem. I created /etc/ssh/keys directory instead of ~/.ssh and changed AuthorizedKeysFile to /etc/ssh/keys/%u in sshd_config But when I try to connect with the key I get the following error in the logs (after enabling DEBUG3 in sshd_config)
<CUT>
Mar 8 15:22:28 stagesmpp sshd[12248]: debug3: mm_request_receive entering
Mar 8 15:22:29 stagesmpp sshd[22358]: debug2: channel 0: rcvd adjust 33544
Mar 8 15:22:30 stagesmpp sshd[12248]: debug3: monitor_read: checking request 20
[code]...
View 2 Replies
View Related
Nov 4, 2010
Quick explanation about what this thread is: by way of an article featured on linuxtoday, I learned about what appears to be an actively managed IP blacklist: [URL]
# This is a compiled list of dirty hosts associated with
# bruteforcing attempts, spam, botnets, RBN and the list
# continues to grow. The data is comprised of information
# compiled from Arbor Networks, Project Honeypot, FIRE
# (maliciousnetwork.org), Host Exploit, Shadowserver and
# a variety of other similarly based sites.
Quick explanation about what this thread is not: this is not intended to be a discussion about default deny vs. default allow (i.e. whitelists vs. blacklists), nor is this a call for enumerations of your own sshd hardening strategy. Please try to keep on point. That said, can anyone speak to the quality of the blacklist information noted above? And/or are there any suggestions for a readily available blacklist of "known better" quality? I plan to try including an actively maintained blacklist like this into a multi-layered approach for hardening an sshd bastion host.
View 4 Replies
View Related
May 11, 2011
I am running a fresh installation of RHEL 6 box and it shipped with Openssh 5.3.But, /etc/ssh/moduli file doesn't exist even in this new installation and the SSH log warns as below:PHP Code:WARNING: /etc/ssh/moduli does not exist, using fixed modulusDoes this imply that it is using the same random number for key exchange purpose ? Also, does it impose any security risks
View 2 Replies
View Related
Nov 29, 2010
On startup - prompt asking for apache certificate password doesn't accept input. Can switch to another tty but can't restart apache due to the port already being bound (suppose I could change ports for apache config after startup but that's pretty ugly and clearly not the right way to address the problem.
View 5 Replies
View Related
Apr 7, 2010
When running MUTT on a RHEL 5.4 box, I get the message:
------------------------------------------------------
Server certificate has expired
This certificate belongs to:
localhost.localdomain
Unknown
SomeOrganization
SomeOrganizationalUnit
[URL]
I choose "accept always", but the same message appears next time. I do not wish to have a certificate requirement for MUTT and did not intentionally set the program up to include this feature. How can I get rid of it? My second choice would be to get a new certificate, but then I have to go through this every year. I have MUTT working on two other servers and this does not happen.
View 3 Replies
View Related
Mar 19, 2010
I was trying to configure user authentication in SSH using certificate method.As u all know the usual way of authentication is using the ssh-keygen method. But i want the another method where we create a certificate key and send it to the CA, which signs it and send back etc etc.I cannot find any unique procedure in the net to configure this method.
View 3 Replies
View Related
Jan 18, 2010
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
View 1 Replies
View Related
Feb 9, 2011
What is happening when I log in to my Ubuntu server machine via ssh and putty. trying to understand everything, primarily securing my server.
I have specified the ssh server to listen on port 5525, and can login without a problem.
When I look at the logs though it says I connected from xxx.xx.xx.xx on port 53602.
What is happening here and why is the logged connection a different port to the one specified in the config file?
View 1 Replies
View Related
Jun 11, 2011
I've been using ssh for a LONG time to connect my laptop to my desktop with no problems. I use a non-standard port (nnnnn) and keys. After a power outage that caused a shutdown and reboot, I can no longer ssh into the desktop. The only changes I've made are updates (laptop and desktop both running ubuntu 10.04).
$ ssh -p nnnnn Desktop
ssh: connect to host Desktop port nnnnn: Connection refused
No messages are generated in any of the logs on Desktop!
$ /usr/sbin/sshd -T
port nnnnn
protocol 2
addressfamily any
listenaddress 0.0.0.0:12023
listenaddress [::]:12023 .....
View 9 Replies
View Related
Mar 25, 2010
Having read how a private company is providing governments (and probably criminals) with a box that can listen in on SSL traffic by the use of forged CA certificates - [URL]. It turns out there's already a forged certificate in Firefox 3.6.
Go to Edit>Preferences>Advanced>Encryption>View Certificates and look for 'Equifax Secure Inc.' - You should see a proof-of-concept rogue certificate called 'MD5 Collisions Inc.' and a link to phreedom which explains the method used to generate it. That little lock doesn't necessarily mean that you're safe...
View 4 Replies
View Related
Jan 5, 2011
The problem is here:When I was open gmail in my system Certificate Error is coming. The error details:
This Connection is Untrusted You have asked Firefox to connect securely to url, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do? If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
code....
View 7 Replies
View Related
Oct 7, 2010
At the login webpage of <[URL]>, the Time Warner Cable (TWC) Webmail site, I am immediately confronted with a warning that the Security Certificate is invalid & that the site is untrusted. This occurs with Firefox, Seamonkey, & Konqueror. This does not occur on Microsoft or Apple systems; I have checked other colleagues machines. I have manually overridden the warning & everything functions fine. I have contacted TWC & am awaiting their tests. But, I would like some independent corroboration from other users in the Linux community. Could some of you perform the test yourself on this URL? An error will be readily apparent.
View 14 Replies
View Related
Dec 19, 2010
When a user that has rsa public key set in ~/.ssh/authorized_keys file logs in via ssh an sshd process is started to handle the ssh session.Periodically we audit the authorized keys and remove them from the system and authorized_keys file. This means the next log in attempt will fail, which is fine.However we need to terminate current ssh sessions in progress that use the rsa key.I have not been able to determine a way to map sshd processes with authorized_keys entries.
View 11 Replies
View Related
Jan 25, 2010
Occasionally my machine displays the following warning whenever left to itself for an hour or so. "www.windowsvistatestdrive.com:443 uses an invalid security certificate. The certificate expired on 09/16/2009 10:52 AM. (Error code: sec_error_expired_certificate)"
I am not trying to access this site. It is not always the same url. My machine, described below, is networked to an XP machine which recently had to be recovered after a viral attack. Since I am not usually interested I decline to use the certificate and the warning goes away.
View 2 Replies
View Related
Apr 25, 2009
I just upgraded from Ubuntu 8.10 to 9.04. I installed Webmin 1.470 but when I tried to run it from Firefox 3.09 I got the following message.
localhost:10000 uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer).
Never had this problem with Ubuntu 8.04.
View 9 Replies
View Related
Apr 28, 2011
Is there an ssh or sshd parameter that can be set to block out a user after a set number of attempts tp login ?
View 1 Replies
View Related
Dec 6, 2010
Firefox 3.6.12 on Ubuntu 10.10 on my desktop computer is reporting a "this connection is untrusted" error for sites that have security certificates provided by COMODO. Yet, the same sites work fine in Firefox 3.6.x on Windows XP, or Chromium in Ubuntu. Here is the more specific message: "The certificate is not trusted because the issuer certificate is unknown.
(Error code: sec_error_unknown_issuer)" The issuer is listed as "COMODO High Assurance Secure Server CA." Here are some examples that throw this error for me:[URL]... It appears that there was some controversy with COMODO and Mozilla (due to bad behavior by COMODO) in the past, but all I can find on that indicates that this should be not an issue any longer.
Anybody with ideas?
View 1 Replies
View Related
