I am using CentOS 7 in my personal laptop. I have created Public/Private keys ( SSH key pair) for that user. I can see the two keys also in the path /home/user/.ssh/. After creating the key pairs I have coped the public key to the file " .ssh/authorized_keys " and disabled the root access for the user in the file " .ssh/sshd_config" after that I restarted the ssh services. So I wanted to know how I can restrict others accessing my server based on keys ( even if he has password he should not be able to login without key). I am not sure how to use those keys which I created.
Once your are sure that you can login with your keypair, you can add this line to your sshd config on the server :
PasswordAuthentication no
and restart your sshd service
It will prevent any password authentication. You will only connect using your private key.
Related
So i have a mail server say "mailer.com". Postfix handles mail for mailer.com also for "virtual.com" (postfix virtual domain).
So, when i create the DKIM key pair:
opendkim-genkey -s mail -d example.com
Which domain do i use here? mailer.com or virtual.com?
Then i put the public key in TXT record on the virtual.com domain?
FYI I used this guide:
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
You need to create keys for each domain you want to sign messages for and put appropriate DNS records in each domain DNS zone.
I am trying to build a bash script that connects to other servers to do some basic monitoring like checking disk space and have this information emailed. I still need all these servers require a password for general entry/access by users but for this particular monitoring script I don't want to be asked a password (general ssh key only)
How do I can configure a particular user (lets call it monitor) connect to a server with the following command but not ask for the password (as it will be for a cron so needs to be automated)
// ssh to web1 server and get diskspace
cmd=$(ssh web1 df -h | grep -E "xvda1|xvde1" | awk '{print $5};' | sort -r | head -1)
lets say the servers have 3 users 'monitor', 'bob' & 'paul'
When it hits this part of the script the ssh web1 forces me to enter a password - is it possible to setup a particular user (in this case the monitor user) to be able authenticate & login using ssh some-ip without asking for the password but still have it ask for the passwords when either bob or paul try to login?
Yes, it is quite simple: just create an SSH key for monitor user only (ssh-keygen), and then copy it's private key to other servers (ssh-copy-id SERVER-IP-OR-NAME).
Just check PubkeyAuthentication is enabled on the server, but it is enabled by default...
This way user monitor will be logged without asking password, and other users will be required of their password.
It is possible, you have to copy your RSA key to the server and enable the RSA authentication.
You can generate the key using ssh-keygen and following the instructions, then copy it to the server using ssh-copy-id and enabling the PubkeyAuthentication on the server. Be sure to restart the sshd.service!
Resource: openSSH docs
I have a common use case to implement a web service (WCF) and a web client which is consuming this web service. Both Client and Service are sending and receiving Signed and Encrypted messages (Message Level Security).
I can have multiple clients those are using my service, hence multiple client certificate need to be installed on Server where Service project is running.
I have installed 2 Certificates (Service Certificate and Client Certificate) in local machine store under personal and trusted root certification authorities.
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFServer" -len 2048 -sky exchange -pe
makecert -sr LocalMachine -ss My -a sha1 -n "CN=WCFClient" -len 2048 -sky exchange -pe
Although Certificate give me error of "integrity of licence can not be guaranteed" but now i dont care about this issue.
Web Client need to Sign the request message through its own Private Key and Encrypt message through Service Certificate Public key.
Service receive the request and verify the signature of message through client Public Key and Decrypt the contents through own Private Key
Than process the request and create a response object.
Now Service must sign the response by own private key and encrypt the message through client public key.
Now client get Signed and Encrpted response. Now it verify the response through Service Public Key and Decrypt the message by its own private key.
This is whole Szenerio . I have installed both(Client and Service) X.509 Certificates on my local development machine. I am using wsHttpBinding and communication is working fine.
I am using [ServiceContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)] for ServuceContract and [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, IsOneWay = false)] for OperationContract.
I have following question:
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
I go through following code project and its working fine.
http://www.codeproject.com/Articles/36683/simple-steps-to-enable-X-certificates-on-WCF
My Source code (Visual Studio Project) Including both certificates is available on Bitbucket for download here
Can any one tell me, do i need to do all this stuff in code or its done through my current configurations.
Thanks in advance.
i got following answer from MSDN forum.
do i need to Sign and Encrypt/Decrypt Request or Response message in my Code (once in client and once in service code) or Configurations in web.config on Service Project and Client project are enough to do all this stuff?
If we have configured the service to use the certificate authentication in the config file, then as you said all the response and request message will be Encrypted/Decrypted by the client certficate's private key/ public key and service certificate's private key/ public key. So in my mind it is enough to do all the stuff in the configure file.
For more information, please try to refer to the following articles:
Certificate authentication:
https://msdn.microsoft.com/en-us/library/ff648360.aspx .
Message and Transport Security:
https://msdn.microsoft.com/en-us/library/ff648863.aspx .
i have few more questions which may be any one can answer me.
I have multiple clients (external web applications ) which will access my service. do each client need to create their own certificate? client will deliver us certificate without private key which need to be install on Service Host server? is this a correct way?
Each client certificate need to be configured in web.config ?
I need to export my service certificate without private key and send to clients. clients must install and configure certificate on their application server? is this correct?
here i got another ver good answer (step by step guide) from MSDN Team.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/a9d85e9f-6d35-425c-ac6d-b3cd883760e4/wcf-message-level-security-using-certificate-x509-message-signed-and-encrypted?forum=wcf&prof=required
I have a server, and three people access that server as user test with their SSH keys, their public keys is saved in authorized_keys file.
Is there a way to map a user to a ssh key.
For example if user with public key A1 log in to the server, then i can match the A1 key to a person name in a config file or a small table(created by me) and get the name of the active users.
How can i check what are the ssh keys used to log in to server, and are currently active, is there a way to do this ?
Form the manpage we can read that you can set environment variables in the authorized_keys file for every key. For this to work you need to set
PermitUserEnvironment yes
in /etc/ssh/sshd_config and restart your ssh server.
Then add an environment="name=value" in front of the ssh public key in the authorized_keys file, like this for example:
environment="sshuser=user1" ssh-rsa AAAA...
If you then log in to the server you can access the env variable:
$ ssh server
$ echo $sshuser
user1
Hope it helps!
Where should a certificate that appears in the Trusted Root Certification Authorities node in certmgr.msc be kept so that an IIS web app can obtain it and sign a SAML Assertion with it? Is there a way to extract the certificate from the certificates "hive" directly, that does not require file-system permissions? Or is it necessary to export the certificate to a folder to which the IIS7 built-in user has access permissions?
The X509Certificate2.Import() method's first parameter is fileName.
If I export the Certificate and put the file in my Visual Studio 2012 Project folders hierarchy and provide a fully qualified path to the Import() method, the cert import succeeds, but only if the application is running in Visual Studio's built-in server, not if it's running in the Local IIS Web Server.
I've tried using the Friendly Name with X509KeyStorageFlags.MachineKeySet but that did not work.
EDIT: This works when using the built-in Visual Studio server but not the LOCAL IIS7 Server in Windows 7:
certStore = New X509Store(StoreLocation.CurrentUser)
certStore.Open(OpenFlags.ReadOnly)
Dim thumbprint As String
thumbprint = ConfigurationManager.AppSettings("thumb").ToString
certCollection = certStore.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, False)
certStore.Close()
cert = certCollection(0)
so I need to find out how to give the Default App Pool access to this certificate in Windows 7.
You don't "import", just create an instance. Formally, you open a key store and loop through certificates. And yes, you don't need any filesystem permission, however, to access the private key, your application pool identity has to have permission to the key, you set the permission in the certificate snapin of the mmc console.
Edit: the code to access the certificate would be something like:
var store = new X509Store( name, location );
store.Open( OpenFlags.ReadOnly );
foreach ( var cert in store.Certificates )
... loop and match, by thumbprint, friendly name or whatever else