sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Ian Rawlings on 18 Jan 2006 04:41 On 2006-01-17, Nix <nix-razor-pit(a)esperi.org.uk> wrote: > I sometimes find it useful to reset the router without resetting the > whole machine. I use a dedicated firewall machine to hold the ADSL card, in essence it's a router, but one that runs gentoo. An old, slow machine is enough, mine is a P2 300MHz which is quick enough to do the job while also being the place I run any nmap processes when working. I use SNMPv3 to monitor it, but haven't gotten around to really sorting the firewalling out yet, it just uses NAT to secure the network at the moment. -- Blast off and strike the evil Bydo empire!
From: Martin Gregorie on 22 Jan 2006 15:14
I said I'd wring out the business of restricting access to remote logins via sshd and report back. This is the report. The short answer is that using hosts.allow and hosts.deny is the only ways to restrict access to sshd by an arbitrary client. I after proving that the hosts.* files do the job and setting them to reject all access from computers outside my internal domain, I put public keys from one of them in /etc/ssh/ssh_known_hosts and tried logging in from that and another computer in the domain. Both were able to log in. The description in the sshd manpage for /etc/ssh/shosts.equiv says that computers listed in this file can't log in as root and will *usually* be checked against the public keys list, so I did some tests. Hosts with every possible combination of the presence or absence of its entry in /etc/ssh/shosts.equiv and /etc/ssh/ssh_known_hosts were able to log in via ssh as a normal user or as root. In summary, I don't know what these files are meant to do but whatever it is they don't do it. Apologies to those who tried to tell me that earlier. I remain baffled as to why sshd would remotely care about /etc/ssh_known_hosts. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot |