[tor-relays] List of Relays' Available SSH Auth Methods
libertas at mykolab.com
Tue Nov 18 15:09:37 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hi, everyone. Linked below is a list of relays that were live last night
along with the SSH authentication methods they support:
If no auth methods are listed, the SSH connection to the relay failed
(more on that below).
I used this script to generate it:
The purpose of this is to alert relay operators that are still
allowing password authentication. 2,051 relays offered password auth,
and many more likely offer similarly insecure methods or were missed
for reasons discussed below.
Generally, it is far more secure to allow only public key auth. The
Ubuntu help pages have a good guide on setting up key-based auth:
Be sure to disable password authentication after you get key-based
To test whether password auth is still supported, use my script (the
README is pretty thorough) or try SSHing from a machine that doesn't
have access to your private key. In the latter case, you should get
the response 'Permission denied (publickey).' immediately.
If you're having issues, make sure that you've restarted sshd since
the last time you changed the config.
Be sure to back up the node's secret key or your SSH private key, but
only somewhere safe! For example, store it in a password manager
database on Tarsnap or a USB.
This script doesn't attempt any kind of authentication or unauthorized
access, so it's about as benign as network scanning scripts come.
Regardless, let me know if you have any concerns.
It made successful SSH connections with 2839 / 6551 relays. Reasons
for failure include:
* SSH being served on a non-standard port - something other than port
22. This is a good idea, as many brute-force attackers will only
bother trying port 22. The script I wrote could have used an alternate
port number supplied from nmap, but this would run much slower and
would potentially get my VPS blocked before it could even get the SSH
* The server only allowing SSH connections from certain IP addresses.
This is also commonly recommended, although it can be a little rigid
if you don't have a VPN with a static IP (what if your server goes
down while you're away from home?).
* The server going down between when I downloaded the consensus and
when I ran the script.
* My VPS's IP address getting added to a shared blacklist that the
If I gave any poor advice or got anything wrong, please let me know.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the tor-relays