Temporarily blocking ports

[Manolis Kiagias]

Chris wrote:
>
> On Nov 29, 2008, at 1:11 PM, Jos Chrispijn wrote:
>
>>
>> From your reply on my message of 29-11-2008 21:47:
>>> An even tighter practice is to turn off all password logins and
>>> use only keyed connections. This is easier than it might seem
>>> though I'll admit I think of ssh as something only a select
>>> number of users may use and thus you know them by name
>>> and what IPs they are permitted to connect on.
>> I have been thinking of that as well, but don't think I should use
>> that yet with the knowledge I have on this.
>> Do you refer to manual of automatic key connections?
>>
> It's extremely easy.
>
> Generate your key and spread it to all systems you want
> to connect to. Have other users generate their key and do the
> same. After everyone is set, turn off password access in
> /etc/ssh/sshd_config, that file contains the docs in comments
> on how to do this. You change three parameters. Then sshd
> will need to be restarted. Be sure logins by key work first.
>
> This implies how to set up your keys. This was lifted from
> a helpful page on the net and modified but is pretty basic.
> Creates the keys in home directory of myuserid on system
> www.example.com, then moving the key to a second system
> called other.example.com such that myuserid can move
> between systems. The userid on the remote does not need
> to be the same string as on the local system though it's shown
> that way here.
>
> www$ cd # get to your home directory
> www$ ssh-keygen -t rsa
> Generating public/private rsa key pair.
> Enter file in which to save the key (/home/myuserid/.ssh/id_rsa):
> Enter passphrase (empty for no passphrase):
> Enter same passphrase again:
> Your identification has been saved in /home/myuserid/.ssh/id_rsa.
> Your public key has been saved in /home/myuserid/.ssh/id_rsa.pub.
> The key fingerprint is:
> <fingerprintshownhere> myuserid at www.example.com
> www$ ssh myuserid at other.example.com mkdir -p .ssh
> Password: <enter password here for other system>
> www$ cat .ssh/id_rsa.pub|ssh myuserid at other.example.com 'cat >>
> .ssh/authorized_keys'
> Password:<enter password here for other system>
>
> You are done setting up keys. Sample use of seamless login:
>
> www$ ssh other.example.com
> other$ host
> other.example.com
> other$ users
> myuserid          ttyp0    Jul 14 05:28 (www.example.com)
> other$ exit
> www$
>
> I only use this on FreeBSD and OS-X. No idea on Putty and others.
>

Can be used on Putty too. There are some small helper programs you can
download along with Putty:

- Puttygen: This will convert your key to a format that can be used by putty
- Pageant: This works like  "ssh-agent". You simply supply the key, and
it is automatically used in your Putty connections

it works flawlessly