In this open series, you can contribute shows that are on the topic of Privacy and Security
The best way to get familiarity with the concepts we will discuss is by experimentation. I think that it is becoming more common these days for people to own more than one computer and set them up in a network. And with cheap computers like Raspberry Pi it is really easy to get started. In this tutorial I want to discuss how you can set up such a server for your experiments in ssh. I encourage you to do this even though I dont intend this series to focus on server administration. The idea is that by practising these these techniques behind a good firewall you can get some familiarity with them before you get out on the Internet where it matters. For most Linux users, at least, installing and setting up a server is really simple, and you can do it minutes.
For more go to https://www.zwilnik.com/?page_id=847
Comment #1 posted on 2015-10-06 18:45:32 by kdmurray
Just a quick clarification on a point made just after the 14m mark with regards to remote login to the SSH server from the Internet. Ahuka makes the comment that "you're transmitting the password in the clear."
According to the SSH man page all communications between the client and server, including password verification, are done using public key encryption.
"Finally, if other authentication methods fail, ssh prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network."
When using an open and (possibly hostile network) something to keep in mind is to watch for the warning that the server's certificate fingerprint has changed. If this comes up for a server you use regularly be very, very suspicious.
Love hearing about the security stuff. Keep it going! :)
Comment #2 posted on 2015-12-10 08:19:51 by 0xf10e
yepp, no cleartext
1st thing is DH key exchange, basically "no that we speak privately and securely let me tell you who I [the server] am". Think about it. Any other way would leave the client open to a MitM spoofing the server's keys.
But, of course, when you ignore the changed fingerprint on the server you won't know who is receiving your credentials.
With pubkey auth you don't have to worry about losing anything usable to impersonate you. Also makes brute force login attempts infeasible due to the vast number of possible keys.
Note to Verbose Commenters
If you can't fit everything you want to say in the comment below then you really should record a response show instead.
Note to Spammers
All comments are moderated. All links are checked by humans. We strip out all html. Feel free to record a show about yourself, or your industry, or any other topic we may find interesting. We also check shows for spam :).