-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi, everyone. Linked below is a list of relays that were live last night along with the SSH authentication methods they support:
https://gist.githubusercontent.com/plsql/27e80e6dab421f8cba6c/raw/8bb0c7aa9d...
If no auth methods are listed, the SSH connection to the relay failed (more on that below).
I used this script to generate it:
https://github.com/plsql/ssh-auth-methods
The purpose of this is to alert relay operators that are still allowing password authentication. 2,051 relays offered password auth, and many more likely offer similarly insecure methods or were missed for reasons discussed below.
Generally, it is far more secure to allow only public key auth. The Ubuntu help pages have a good guide on setting up key-based auth:
https://help.ubuntu.com/community/SSH/OpenSSH/Keys
Be sure to disable password authentication after you get key-based auth working!
https://help.ubuntu.com/community/SSH/OpenSSH/Configuring#disable-password-a...
To test whether password auth is still supported, use my script (the README is pretty thorough) or try SSHing from a machine that doesn't have access to your private key. In the latter case, you should get the response 'Permission denied (publickey).' immediately.
If you're having issues, make sure that you've restarted sshd since the last time you changed the config.
Be sure to back up the node's secret key or your SSH private key, but only somewhere safe! For example, store it in a password manager database on Tarsnap or a USB.
This script doesn't attempt any kind of authentication or unauthorized access, so it's about as benign as network scanning scripts come. Regardless, let me know if you have any concerns.
It made successful SSH connections with 2839 / 6551 relays. Reasons for failure include:
* SSH being served on a non-standard port - something other than port 22. This is a good idea, as many brute-force attackers will only bother trying port 22. The script I wrote could have used an alternate port number supplied from nmap, but this would run much slower and would potentially get my VPS blocked before it could even get the SSH information.
* The server only allowing SSH connections from certain IP addresses. This is also commonly recommended, although it can be a little rigid if you don't have a VPN with a static IP (what if your server goes down while you're away from home?).
* The server going down between when I downloaded the consensus and when I ran the script.
* My VPS's IP address getting added to a shared blacklist that the server uses.
* etc.
If I gave any poor advice or got anything wrong, please let me know.
Libertas