[TriLUG] ssh question

Igor Partola via TriLUG trilug at trilug.org
Mon Oct 24 12:28:10 EDT 2016 

There is a standard way to do this: generate an ssh keypair and use that.

    ssh-keygen -t rsa -f raspberry_pi_id_rsa

Hit Enter instead of doing a passphrase (yes this is secure in this case).
You'll get two files: raspberry_pi_id_rsa and raspberry_pi_id_rsa.pub. Now
copy the raspberry_pi_id_rsa.pub file to the Raspberry Pi.

    ssh-copy-id raspberry_pi_id_rsa.pub IP-OF-YOUR-PI

Now use the ssh command like so:

    ssh -i raspberry_pi_id_rsa IP-OF-YOUR-PI

Make sure that the user which is doing this has access to
raspberry_pi_id_rsa and the permissions on it are 0400.

This is the standard and correct way to do this. Using passwords for ssh is
a *VERY BAD TERRIBLE AWFUL HORRIBLE IDEA*. Did I mention that you shouldn't
do it?

If you need more info, search the web for "ssh keypair" along with
"raspberry pi" or "ubuntu".

Now, as to Brian's points about security:

Please understand that the age of a 1337 haxxor specifically targeting your
system is over. The threat model is now someone with a very fast internet
connection scanning all four billion IPv4 addresses in under an hour,
looking for vulnerabilities of some kind, including weak passwords on ssh.
This is automated and they don't target a specific system. They just want
to gain access to *everything*.

The motives are often to create a DDoS botnet, but other times they try to
steal files, redirect your web traffic to steal your credit cards, infect
your Windows PC's with malware, host a bunch of child pornography from your
IP, etc. Let's say you don't care about what's on this specific RPi, but
you very well might have an NFS or SMB share, a local printer, a Nest
thermostat, etc. Having a device controlled on your LAN, behind your
firewall gives the attacker many options. Once again, they will likely have
this part automated, so something esoteric might not get hit as early as a
Windows PC or a router with a default password, but you will still have a
*bad time*.

In this case, the only thing that will save you is that your Rapsberry Pi
is behind a firewall (you did make sure your router's firewall is
configured correctly and does not allow the RPi's port 22 to be open to the
outside world on any port, right? You also made sure that you have a
firewall set up for IPv6 whenever your provider suddenly drops that on you,
right?). Otherwise, that RPi would likely be owned within days of coming
online, and then the attacker will start hammering on the rest of your
devices from inside your trusted network. To see proof of this, expose a
box (with a very strong password and in a DMZ) to the internet and watch
`tail -f /var/log/auth.log`.

My advice to you and everyone is to take security seriously because it's so
easy to do: disable password-based ssh logins and use ssh keypairs
everywhere. It is more convenient than passwords, actually protects you
(passwords, especially default ones don't), and is the right thing to do.

Igor

More information about the TriLUG mailing list