VMware安全小提示(重生成SSHD Keys)
Surprisingly, most people overlook basic security principles whendealing with virtual machines. This short article hopes to readdressand draw attention to these points.Your SSH server is no more secure than telnet[b]Problem:[/b] Whenever you clone a virtual machine, or download avirtual machine, you also clone the private SSH key for that virtualmachine. Once you have the private key, you can decrypt or hijack thetraffic being sent over your "secure" connection. Not good.
[b]Solution:[/b] You need to re-generate your private SSH keys when you clone a VM:
# Example given for Fedora:(重生成SSH密匙)
[color=Red]rm -i /etc/ssh/*key* [/color][color=Red]# permanently delete your existing private keys[/color]
[color=Red]ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa1 [/color][color=Red]# re-gen the rsa1 key[/color]
[color=Red]ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa [/color][color=Red]# re-gen the dsa key[/color]
[color=Red]Remember that you will receive a "key changed" warning the next time you ssh to your server.[/color]
Someone from outside your company has plugged a computer into your network[b]Problem:[/b] A virtual machine is still a computer. You wouldn'tlet just anybody plug their computer into your network, you must stillremember to perform a security analysis before powering it on.
[b]Solution:[/b] For an untrusted VM, make sure:
[list=1][*]Networking - can the VM snoop on networked traffic? Is it on asegmented part of the network? Do you need to allow networking at all?[*]Passwords - are you using the same password for something important? If the VM was sending passwords back, would it matter?[*]Are you connecting to anything important while you use the machine?Are you SSHing to a machine with less-segmented network access? Shares?Mounts?[/list]
页:
[1]