Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
doku:vpn_ssh_access [2024/02/16 11:26] – Update TU Wien links mpfisterdoku:vpn_ssh_access [2024/05/02 09:54] (current) – [Security issues] adding link to man sshd jz
Line 68: Line 68:
  
 <code> <code>
-Host vsc4.vsc.ac.at vsc4+Host vsc5.vsc.ac.at vsc5
   Port 27   Port 27
 +  User vsc_username
 #  ForwardAgent yes #  ForwardAgent yes
   IdentityFile id_rsa   IdentityFile id_rsa
   IdentitiesOnly yes   IdentitiesOnly yes
 #  ForwardX11 yes #  ForwardX11 yes
 +</code>
 +
 +=== Using a jump host ===
 +A configuration for automatically using a jump host could look like this:
 +
 +<code>
 +Host vsc5.vsc.ac.at vsc5
 +  User vsc_username
 +  ProxyJump login.univie.ac.at
 +
 +Host login.univie.ac.at
 +  User uni_username
 </code> </code>
  
Line 79: Line 92:
     * In theory it would be possible to create an ssh key without passphrase. However, the possession of this key would allow anyone from anywhere to open a connection.     * In theory it would be possible to create an ssh key without passphrase. However, the possession of this key would allow anyone from anywhere to open a connection.
     * Forwarding the ssh key as a standard procedure, e.g. by aliasing the 'ssh' command is not recommended, especially if you connect also to servers which are not perfectly reliable. An attacker with administrator access (using zero-day exploits?) could misuse the forwarded keys.     * Forwarding the ssh key as a standard procedure, e.g. by aliasing the 'ssh' command is not recommended, especially if you connect also to servers which are not perfectly reliable. An attacker with administrator access (using zero-day exploits?) could misuse the forwarded keys.
-    * One of the worst security issues concerning ssh keys would be to create a passphrase-less ssh-key and copy the public key directly to the 'authorized_keys'-file on the same server. This might seem useful if several servers share nfs mounted home directories. However, as stated above, anyone who ever had read access to this account could access forever from anywhere again! If ever necessary, this has to be combined with host access restrictions, e.g. in ''.ssh/authorized_keys'': ''from="*.trusted.host.example.com"'' (see ''man sshd'').+    * One of the worst security issues concerning ssh keys would be to create a passphrase-less ssh-key and copy the public key directly to the 'authorized_keys'-file on the same server. This might seem useful if several servers share nfs mounted home directories. However, as stated above, anyone who ever had read access to this account could access forever from anywhere again! If ever necessary, this has to be combined with host access restrictions, e.g. in ''.ssh/authorized_keys'': ''from="*.trusted.host.example.com"'' (see [[https://www.linux.org/docs/man8/sshd.html|man sshd]]).
  • doku/vpn_ssh_access.1708082771.txt.gz
  • Last modified: 2024/02/16 11:26
  • by mpfister