[NTLUG:Discuss] SSH

[Chris Cox]

severian at pobox.com wrote:
...

My opinions... no warranties...


>   I have a few questions for people that have done this before.
> 
> 1.  I disabled type 1 ssh keys, since type 2 keys seem to be more 
> secure.  Is there any reason to allow type 1 keys?  I realize that some 
> people may have to interface with software that only supports type 1 
> keys, but that does not apply to me.

There is NO good reason to use ssh 1 anymore.  Only if the clients
you HAVE to I/F are incapable of v2... and even then, it's easier to
just pour coffee onto your computer repeatedly until it dies.

> 2.  I generated my public keys with OpenSSH.  They work fine when I 
> drive the customers Windows machine from my Linix machine at home.  I 
> have not figured out how to import those public keys into Putty.  By 
> googling, I find a bunch of references on how to take keys from Putty to 
> OpenSSH, but that is the wrong direction for me.

Create a PuTTY key (or load an existing one) using puttygen and then
cut and paste the OpenSSH compatible key (at the top) into your
Linux side.  Not sure if there's another way or not.

> 3.  This Linux machine has a static IP and will stay up 24/7.  I am 
> trying to figure out what I should do to the machine to make it 
> relatively secure.  I've close obvious things like ftp and telnet.  I am 
> tempted to close just about every port except the port I use for SSH, 
> but I wonder if that is too drastic.  I have been reading a number of 
> web sites, but I have not found one that seems authoritative.  Any 
> thoughts?

IMHO, disable ICMP ping(echo).  Configure SSH to only allow logins
from known IPs... else, configure to only allow certain ids.. or better
disable tunneled cleartext passwords (PasswordAuthentication no).

IMHO, if you are not a 24x7 admin on the box (or it doesn't have a
24x7 effective admin), I would not leave any other port open,
regardless.  I have several hosts I manage strictly through their
open ssh port.