search for: sshauth

To radically cut down on SSH log spam you can also hide it completely behind a firewall, and allow access only by some port knocking sequence. I quite like having a process listen on port 53 and wait for a dns query containing a totp string to grant (temporary) access; that's a 2fa, and doing a "host 123456. my-ip" is easily automated in a shell script as well...

I guess you might find fail2ban useful. It scans logfiles (like /var/log/sshd.log), and when it sees too many authentication failures from an IP address (or network range) it can issue commands to drop any further attempts via a firewall. By having it read its own logfile it's possible to have repeated offenders be cut out for longer and longer time spans.

ssh-agent is clearly the greatest thing since sliced bread. The python cryptography toolkit wicked cool too. I'd like to use them together. So I read the ssh-agent man page and the source code and wrote some python code http://www.w3.org/2000/10/swap/util/sshAuth.py v 1.4 2003/09/16 04:36:24 to talk to ssh-agent; in particular, to get it to RSA-sign a string passed from the command line, ala: $ python sshAuth.py abc signature: ssh-rsa 5560602945671...37036908994L After getting the protocol wrong and killing my ssh-agent a few dozen times, I got it w...