sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Robert Hull on 15 Jan 2006 15:03 In uk.comp.os.linux, on Sun 15 January 2006 12:38, Martin Gregorie <martin(a)see.sig.for.address> wrote: > I'm interesting in restricting the list of clients that can access my > server, and if /etc/ssh/ssh_known_hosts, if it exists, does just that > according to the sshd manpage. > Not the man page on this machine (SuSE 10 2.6.13-15.7 kernel) where it states: /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts These files are consulted when using rhosts with RSA host authentication or protocol version 2 hostbased authentication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the same files to verify that it is connecting to the correct remote host. Nothing there about presence/absence in /etc/ssh/ssh_known_hosts being used to disallow access, only that presence will allow it. -- Robert Keep the Yule Logs burning !
From: Martin Gregorie on 15 Jan 2006 15:12 alexd wrote: Thanks for the quick overview. > SSH is great when you want a quick connection that just works without too > much messing about. You can get shell access, copy a few files with scp, > etc etc. > It's beginning to look as if ssh might be a viable VPN replacement for some of the simpler tasks. I've just had a quick play with sftp which seems rather nice, though its a lot slower than ftp (I suppose that's inevitable when one end is only a P300 and the test file was in the 140 MB range). The ssh-based network filing system sounds useful too, though I haven't seen it yet. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 15 Jan 2006 15:13 alexd wrote: > > If you're super-paranoid, try port knocking. > What's that, he says ignorantly. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Chris Croughton on 15 Jan 2006 15:29 On Sun, 15 Jan 2006 10:03:43 +0000, Martin Gregorie <martin(a)see.sig.for.address> wrote: > Both files are described in the ssh and sshd manpages. Sheesh. I think > I'm giving out more information than I'm receiving. Doesn't anybody else > use ssh over the Internet and if not, why not and what do you use instead? Yes, I use ssh over the Internet and I don't use that file, because the whole point is that I need to be able to get into my machine from places where I don't know the IP address (in some cases, via vachines using dialup connections where the IP address isn't even the same each time I connect). As far as I can see by its nature it only allows connection from individual hosts, not even a range, and so is useless to me. Chris C
From: Martin Gregorie on 15 Jan 2006 18:01
Robert Hull wrote: > In uk.comp.os.linux, on Sun 15 January 2006 12:38, Martin Gregorie > <martin(a)see.sig.for.address> wrote: > >> I'm interesting in restricting the list of clients that can access my >> server, and if /etc/ssh/ssh_known_hosts, if it exists, does just that >> according to the sshd manpage. >> > Not the man page on this machine (SuSE 10 2.6.13-15.7 kernel) where it > states: > > /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts > These files are consulted when using rhosts with RSA host > authentication or protocol version 2 hostbased authentication > to check the public key of the host. > > The key must be listed in one of these files to be accepted. > The client uses the same files to verify that it is connecting > to the correct remote host. > > Nothing there about presence/absence in /etc/ssh/ssh_known_hosts being > used to disallow access, only that presence will allow it. OK, but if the key check doesn't deny access, what exactly is its point? Granted that you can keep undesirable named hosts out with hosts.deny but only if they *don't* spoof the host name or mount a DNS attack. Given that, there's just no point in having an ssh_known_hosts file. As there's nobody sitting watching the logs for messages saying that sshd doesn't like a host because its key is wrong you may as well not bother with the check if sshd can't reject a host that fails it. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot |