sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Nix on 16 Jan 2006 09:22 On Mon, 16 Jan 2006, alexd stated: > then it's probably not outside the bounds of probability that one could > mount an scp or sftp connection, with a similar bit of userspace code. Like, say, the sshfs FUSE module? :) > course, you can always tunnel NFS inside SSH: > > http://www.math.ualberta.ca/imaging/snfs/ See also SFS, <http://fs.net/>, for a secure variant of NFS with a unified global filesystem (with a remarkably unpleasant naming convention for directories). -- `Logic and human nature don't seem to mix very well, unfortunately.' --- Velvet Wood
From: Martin Gregorie on 16 Jan 2006 11:28 alexd wrote: > Martin Gregorie wrote: > >> alexd wrote: > [Port knocking] is Security By Obscurity, verson 2.1 ;-) > Yes, it is, rather, isn't it? Quite ingenious, though. Probably unusable with an ADSL router unless you've got one that's fancy enough to send its access log to a server, though. > Probably overkill in most cases. > Sure, but I can see uses for it all the same: could be useful for the traveling consultant needing to call home. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 16 Jan 2006 11:32 usenet(a)isbd.co.uk wrote: > Martin Gregorie <martin(a)see.sig.for.address> wrote: >> Chris Croughton wrote: >>> Yes, I use ssh over the Internet and I don't use that file, because the >>> whole point is that I need to be able to get into my machine from places >>> where I don't know the IP address (in some cases, via vachines using >>> dialup connections where the IP address isn't even the same each time I >>> connect). As far as I can see by its nature it only allows connection >>> from individual hosts, not even a range, and so is useless to me. >>> >> I quite see your reasoning, and why it would not work for you. Did you >> try wild carding it? The manpages mention this facility, but don't >> explain how a given public key could apply to, say, all the hosts >> implied by *.smith.org or by 111.222.333.* - I see some confusion there! >> >> However, I want to solve the reverse problem and create an exceedingly >> narrow window where only one or two known hosts would be allowed in for >> remote sysadmin and this technique looks as if it matches my requirement. >> > Surely even a fairly simple firewall can be set up to allow only > certain hosts to access your system using specific ports. > Only with a permanently forwarded port and a white list on the server. I'm just mildly paranoid about spoofing and the use of ssh_known_hosts should prevent that. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 16 Jan 2006 11:38 Toby Inkster wrote: > Martin Gregorie wrote: > >> There are TWO known_hosts files. >> ~/.ssh/known_hosts >> This works like you describe and automatically collects the keys for the >> hosts you connect to with your ssh client. >> /etc/ssh/known_hosts >> This is optional and used by sshd. If it is present it restricts the >> hosts that sshd will accept connections from. > > Not sure which version of SSH you're using, but my "man sshd" lists only > these two known_hosts files: > > /etc/ssh/ssh_known_hosts > $HOME/.ssh/known_hosts > > The former acting the same as the latter, but read-only, and for all users > on the system rather than just one. To restrict which hosts may log in, my > "man sshd" recommends: > > /etc/hosts.allow > /etc/hosts.deny > Interesting. Mine says pretty much the opposite, but it does rather lump hosts.allow|deny in with hosts.equiv as well as saying that sshd will use the public key in ssh_known_hosts to permit access. What it doesn't say explicitly is that a key non-match will forbid access, but I can't see why sshd should even glance at the public key if it doesn't reject non-matches. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: John Phillips on 16 Jan 2006 13:16
On 2006-01-16, Nix <nix-razor-pit(a)esperi.org.uk> wrote: > On 15 Jan 2006, John Phillips whispered secretively: >> On 2006-01-15, Nix <nix-razor-pit(a)esperi.org.uk> wrote: >>> The vast majority of attacks on SSH are attacks on bad passwords; I've >>> had some twit trying for most of today and yesterday, four or five >>> requests a second... >> >> I saw a lot of that until I throttled back the allowable connection >> rate with iptables. > > What a good idea. I'll have to do that here. > >> Probably not much extra security, if any, but they >> generally go away now after a very small number of attempts. > > It'll stop them hogging my line (a whole 1.5Kb/s of bandwidth, ooh, I'm > dying; but there's nothing stopping them trying faster, especially once > 2.6.16 comes out, with a patch that should double the speed of my > firewall > (<http://user-mode-linux.sourceforge.net/work/current/2.6/2.6.15-rc6/patches/softints>)...) Well I did put the limit in place originally as a general SYN flood protection rule in the firewall, but it does keep the crackers away as a side-effect. -- John Phillips |