sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Martin Gregorie on 15 Jan 2006 18:10 Chris Croughton wrote: > > Yes, I use ssh over the Internet and I don't use that file, because the > whole point is that I need to be able to get into my machine from places > where I don't know the IP address (in some cases, via vachines using > dialup connections where the IP address isn't even the same each time I > connect). As far as I can see by its nature it only allows connection > from individual hosts, not even a range, and so is useless to me. > I quite see your reasoning, and why it would not work for you. Did you try wild carding it? The manpages mention this facility, but don't explain how a given public key could apply to, say, all the hosts implied by *.smith.org or by 111.222.333.* - I see some confusion there! However, I want to solve the reverse problem and create an exceedingly narrow window where only one or two known hosts would be allowed in for remote sysadmin and this technique looks as if it matches my requirement. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Nix on 15 Jan 2006 18:11 On Sun, 15 Jan 2006, Tony van der Hoff gibbered uncontrollably: > I use port 22; that's what it's for. I do see the occasional dictionary > attacks, which come to nowt due to my using strong account paswords You allow password-authentication over the open Internet? *shudder* I see dictionary attacks which come to nothing because the idiots are handing it passwords when I want it to give me keys. :) -- `Logic and human nature don't seem to mix very well, unfortunately.' --- Velvet Wood
From: Toby Inkster on 15 Jan 2006 20:19 Martin Gregorie wrote: > There are TWO known_hosts files. > ~/.ssh/known_hosts > This works like you describe and automatically collects the keys for the > hosts you connect to with your ssh client. > /etc/ssh/known_hosts > This is optional and used by sshd. If it is present it restricts the > hosts that sshd will accept connections from. Not sure which version of SSH you're using, but my "man sshd" lists only these two known_hosts files: /etc/ssh/ssh_known_hosts $HOME/.ssh/known_hosts The former acting the same as the latter, but read-only, and for all users on the system rather than just one. To restrict which hosts may log in, my "man sshd" recommends: /etc/hosts.allow /etc/hosts.deny -- Toby A Inkster BSc (Hons) ARCS Contact Me ~ http://tobyinkster.co.uk/contact
From: Toby Inkster on 15 Jan 2006 20:28 Martin Gregorie wrote: > Thanks for that. I think this explains why, having muttered about > ssh_known_hosts, the manpage also witters on about the hosts.* files. Further, I don't think using "ssh_known_hosts" as a security mechanism to prevent people logging on to your server is even a viable method. It has one serious flaw -- it assumes that the client is logging on from a machine that is itself a SSH server, and thus has a host key. -- Toby A Inkster BSc (Hons) ARCS Contact Me ~ http://tobyinkster.co.uk/contact
From: alexd on 16 Jan 2006 02:55
Martin Gregorie wrote: > alexd wrote: >> >> If you're super-paranoid, try port knocking. >> > What's that, he says ignorantly. It's Security By Obscurity, verson 2.1 ;-) http://en.wikipedia.org/wiki/Port_knocking Probably overkill in most cases. -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 07:54:00 up 12:08, 2 users, load average: 0.11, 0.25, 0.26 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK |