Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 14
Like Tree1Likes
I am creating a OS for my companies thin client and I wanted to create an administrative portal so I can log onto any of the machines and administrate. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2013
    Posts
    30

    Setup administrative portal


    I am creating a OS for my companies thin client and I wanted to create an administrative portal so I can log onto any of the machines and administrate. I was thinking it might be possible to have a port listen for a ssh connection and then require a username and password to log on. If my terminology is wrong please tell me I am new to Linux.
    Last edited by JaredC; 06-27-2013 at 09:56 PM.

  2. #2
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,043
    I suggest you do quite a bit more reading about security before you setup a 'backdoor' ... anything you can do the bad guys can do as well.

  3. #3
    Just Joined!
    Join Date
    Jun 2013
    Posts
    30
    I think you're right and I am using the wrong terminology. I want to enable a way to have a remote session connect using authentication. Basically I would connect to it and enter a username and password that would grant me console access. BTW what is the right term for what I am trying to do so I can edit the title accordingly.

  4. #4
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,043
    I think you are trying to setup remote access to allow administration of systems. Administration tools for thin clients might be a better title than setup backdoor

    You can use ssh with username and password information but if you are relying only on username and password then anyone else knowing the username and password will have exactly the same access as you - so you need to set a strong password. If you do use ssh then at least don't use the default port.

  5. #5
    Just Joined!
    Join Date
    Jun 2013
    Posts
    30
    Is there a way to make it any more secure then using a random port with a username and password?

  6. #6
    Linux Guru Jonathan183's Avatar
    Join Date
    Oct 2007
    Posts
    3,043
    Yes ... http://www.linuxforums.org/forum/sec...tml#post929857 is one approach ... I'm sure other forum members have other suggestions

  7. #7
    Just Joined!
    Join Date
    Sep 2006
    Posts
    9
    Quote Originally Posted by JaredC View Post
    I was thinking it might be possible to have a port listen for a ssh connection and then require a username and password to log on.
    OK, the problem with SSH is that most servers have to use it, and the bad guys know that cracking SSH gives them the keys to the kingdom. So, it is a target, and they know that you have to use it, so best be careful.

    There must be a dozen different approaches to what to do, some better than others (how secure? is there a danger of locking yourself out? how convenient?). Read on the samhain website for a page called brutessh for an overview (sorry, can't post links, so you'll have to do a search).

    Just to make a brief comment on a couple of the more obvious approaches:
    • Make sure the password is strong - if that is all that you do, and let a bad guy have an infinite number of guesses at your password, they'll still get in
    • move the port from the default - some people recommend this as an adequate approach on its own, but, if someone can port scan you, it gives you less than a minute's extra protection
    • Firewalling solution that limits the number of failed attempts (by purely firewall commands or by fail2ban, denyhosts, etc); nice, but how do you ever get in if you once lock yourself out


    I'm not saying that it is impossible, by any means, just that there are many schemes with advantages and disadvantages, and you need to think clearly before you decide.

  8. #8
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,569
    ssh can use passwordless connections which uses public / private keys (link). This will take more configuration but is far more secure and it has the advantage that you can write admin scripts to access the remote machines!
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    The Fifth Continent

  9. #9
    Penguin of trust elija's Avatar
    Join Date
    Jul 2004
    Location
    Either at home or at work or down the pub
    Posts
    3,569
    Incidentally, if by thin client you mean everything actually runs remotely on a server then the Linux Terminal Server Project may be of interest (link). If not, just ignore this post!
    What do we want?
    Time machines!

    When do we want 'em?
    Doesn't really matter does it!?


    The Fifth Continent

  10. #10
    Linux User IsaacKuo's Avatar
    Join Date
    Feb 2005
    Location
    Baton Rouge, LA, USA
    Posts
    406
    I would highly recommend you do NOT allow password authentication on ssh. Password authentication is vulnerable to brute force attack, while public key authorization pretty much is NOT vulnerable to brute force attack.

    The way public key authorization works is that an encrypted key file on your machine contains a key which is trusted by the remote machine. In order for you to access the remote machine, ssh will ask you the encryption passphrase. Assuming you enter the correct encryption passphrase, ssh will then use the trusted key to access the remote server.

    In order for a "bad guy" to access the remote server, he would need to have both the encrypted key file and guess the encryption passphrase. You also have the option to not use a passphrase, but obviously this removes one layer of security.

    To set this all up in ssh, you can follow the directions here:

    How To Set Up SSH With Public-Key Authentication On Debian Etch | HowtoForge - Linux Howtos and Tutorials

    That how-to is for debian, but the same basic steps will apply to any linux OS. The main difference will be using some command other than "apt-get" to install new software (if necessary--many linux distributions install ssh by default).

    You can get more security by customizing /etc/ssh/sshd_config further. Changing the port to a custom port is a good idea, but it's only a minor benefit to security. Configuring ssh to only accept incoming connections from a particular IP address is a great benefit to security, but it obviously also limits your flexibility. Still, if you have one particular IP address that you're sure will always be up, it's a great idea to only allow ssh connections from it.
    elija likes this.
    Isaac Kuo, ICQ 29055726 or Yahoo mechdan

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •