Two SSH-related questions

Two questions, please, from a bit of an SSH noob:

1. Is there a way to coax Vine into using public/private key pairs to authenticate, or does it only support password authentication?

2. There seems to be at least two different methods of using SSH with Vine: one, use the built-in SSH support or two, first create an SSH tunnel between the machines, then use a 'normal' connection to the localhost end of the tunnel. Is either one inherently more secure than the other?

Thanks for your insight...

Jack

Comments

  • JonathanOSXJonathanOSX ForumAdmin admin
    Let's answer those questions in reverse order. The "built-in" SSH service of Vine does exactly what you mention. It creates an SSH tunnel through which the VNC traffic is forwarded.

    As far as public-key authentication, it is supported, but you will need to setup your key pair manually using ssh-keygen and then you will need to manually place your public-key in the authorized_hosts file on the remote computer.

    Once that is done you can connect using Vine's SSH by entering the proper host (and the username if the foreign username doesn't match the local one).[/code]
  • Let's answer those questions in reverse order. The "built-in" SSH service of Vine does exactly what you mention. It creates an SSH tunnel through which the VNC traffic is forwarded.
    Understood, thanks.
    As far as public-key authentication, it is supported, but you will need to setup your key pair manually using ssh-keygen and then you will need to manually place your public-key in the authorized_hosts file on the remote computer.

    Once that is done you can connect using Vine's SSH by entering the proper host (and the username if the foreign username doesn't match the local one).[/code]

    I have already generated the keys using ssh-keygen, and installed my public key in a file called authorized_hosts2 on the server. (Could the filename having a '2' on the end make the difference?) When I connect via Terminal I get appropriately prompted for the passphrase for the private key file.

    When I attempt to connect using Vine Viewer one of two things happen: If I leave the SSH password field blank I get a permission denied error. If I fill in the SSH password field I get in, but never get prompted for the local passphrase. (Apparently I'm getting in via the password, not the keys.)

    As a further test, I disabled Password Authentication by editing sshd_config on the server. I can't get in even WITH the SSH password entered in the Viewer, nor am I ever prompted for the local passphrase.

    I can be easily convinced that I've got something screwy going on here given my SSH noobiness, but that doesn't mean I don't appreciate your help, Jonathan. :-)
  • JonathanOSXJonathanOSX ForumAdmin admin
    Definitely sounds like the PKE isn't working for you, you can get in with the username/password but not PKE.

    It could be that authorized_hosts2 is the problem. I've never seen it with the 2 ending before.

    It might be that you need to have your passphrase "unlocked" first before connecting with Vine, but I'm not sure if that is doable or not. It does work for non-passphrase PKEs.
  • Definitely sounds like the PKE isn't working for you, you can get in with the username/password but not PKE.

    It could be that authorized_hosts2 is the problem. I've never seen it with the 2 ending before.

    Well, it wasn't that. :-) I renamed the file without the '2' and still can't get in .
    It might be that you need to have your passphrase "unlocked" first before connecting with Vine, but I'm not sure if that is doable or not. It does work for non-passphrase PKEs.

    I can't find a way to 'unlock' the passphrase, at least until you support the Keychain. I'll try a non-passphrase key, but that strikes me as being at least a little less secure (especially if somebody makes off with my notebook).
  • Definitely sounds like the PKE isn't working for you, you can get in with the username/password but not PKE.

    It could be that authorized_hosts2 is the problem. I've never seen it with the 2 ending before.

    This is fairly common for SSH2 on some linux servers.
    jackb wrote:
    Well, it wasn't that. :-) I renamed the file without the '2' and still can't get in

    The first place i'd look is to take VNC out of the equation. Try it from the terminal with -v flag. So.
    ssh -v [email protected]

    The -v (verbose) flag should give you a good idea of what's happening with the connection.

    If Vine doesn't support pass enabed keys then you probably want to try using SSH agent. SSHKeychain is a frontend to SSH-agent that integrates well with the OSX keychain.

    [rant]
    On another note, I personally don't feel that the SSH daemon on OSX 10.4 is locked down well enough. For one thing it appears to have protocol version 1 enabled (you can check this with ssh -v -1 [email protected]). This is insecure and the server should be hardened. Secondly every account is granted SSH access when the protocol is turned on under 'Sharing'. It's best to explicitly limit which accounts can have remote access. All of these steps can be done in the /etc/sshd_config file. This means that if you create a demo account with the password demo (or similar) and connect to the net the chances of your box being pwned are extremely high.
    For limiting users add "AllowUsers YOU whoeverelseyoutrust" to the end of the file. Be sure to stop and restart the service after changes made to this file.
    [/rant]
  • kiyose wrote:
    The first place i'd look is to take VNC out of the equation. Try it from the terminal with -v flag. So. ssh -v [email protected]

    The -v (verbose) flag should give you a good idea of what's happening with the connection.
    Thanks for the -v tip, kiyose. I was having no problem getting in using the Terminal; getting prompted for the passphrase happened as you'd expect. Ditto for using SSH Tunnel Manager and Fugu: was getting prompted for the passphrase before the connection was allowed. But Vine Viewer would not prompt me for the passphrase.
    If Vine doesn't support pass enabed keys then you probably want to try using SSH agent. SSHKeychain is a frontend to SSH-agent that integrates well with the OSX keychain.
    Thanks, I'll have a look and see what shakes out. And I really appreciate your comments about hardening the server and especially the link to the KU IT article.

    Jack
  • I've found that SSH Helper (see MacUpdate) has been a great aid in getting ssh to work correctly with public/private keys. It can generate the keys, import keys and provide a GUI to manage which keys are authorized for which accounts.

    It also provides a GUI to manage the default ssh server settings though this works best with 10.4. 10.3 seems to store the server info in different locations so some changes made to the server by SSH Helper don't seem to take as well (specifically trying to change the default ssh port number).

    Using SSH Helper I have password authentication disabled and have no problem using key authentication to run Vine Viewer. Note, however, that I have not password protected my private key as I use File Vault.
Sign In or Register to comment.