sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Martin Gregorie on 14 Jan 2006 10:59 I'm thinking about setting up remote SSH access through a hole in my firewall and NAT router. I'm happy that I know what I'm doing when it comes to configuring the router so it forwards the port to the box running sshd. I've read the manpages and HOWTOs about this and looked at the open ssh web site. I think I understand enough to set up remote access apart from getting the values for the /etc/ssh/known_hosts entries. Getting these values is scrappily described in all the stuff I've looked at. So, I'd appreciate advice on hardening sshd: - should I use /etc/ssh/known_hosts to limit access to specific computers? I assume the answer is *yes* - is it best to identify permitted clients by IP, host name or a combination of the two? - if the client is behind a firewall, I suppose the IP would be the firewall's external IP. Is this correct? - can the known_hosts entry be just the host ID? - if the known_hosts entry should have all fields specified, what's the the best way getting the right values? -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Marek Wawro on 14 Jan 2006 12:35 Martin Gregorie wrote: > I'm thinking about setting up remote SSH access through a hole in my > firewall and NAT router. > > I'm happy that I know what I'm doing when it comes to configuring the > router so it forwards the port to the box running sshd. > > I've read the manpages and HOWTOs about this and looked at the open ssh > web site. I think I understand enough to set up remote access apart from > getting the values for the /etc/ssh/known_hosts entries. Getting these > values is scrappily described in all the stuff I've looked at. > So, I'd appreciate advice on hardening sshd: > > - should I use /etc/ssh/known_hosts to limit access to specific > computers? I assume the answer is *yes* know_hosts is a database of host knowed BY you, it is protection agaist man-in-the middle attacks, when you are first time connection to new machine ssh ask you about fingerprint veryfication and storing it in your hard drive. > - is it best to identify permitted clients by IP, host name or a > combination of the two? all kind combination is good as well you know what are you doing. I suggest to use password protected keys for authorisation and well configured firewall basing on source addres. > - if the client is behind a firewall, I suppose the IP would be > the firewall's external IP. Is this correct? Exactly. > - can the known_hosts entry be just the host ID? ??? > - if the known_hosts entry should have all fields specified, what's the > the best way getting the right values? make them as they are :) however i think you missunderstand value of know_hosts Mark
From: Martin Gregorie on 14 Jan 2006 15:15 Marek Wawro wrote: > Martin Gregorie wrote: >> - can the known_hosts entry be just the host ID? > ??? /etc/ssh/known_hosts contains the space-separated fields: hostnames, bits, exponent, modulus, comment the manpage examples are: closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= which don't really match the required parameters. OK, I can recognise that the remote computer is identified by both name and IP, but both examples seem to have ignored one or more parameters. This is not explained at all in the manpage, apart from the comment that: "the lines in these files are typically hundreds of characters long, and you definitely don?t want to type in the host keys by hand. Rather, generate them by a script or by taking /etc/ssh/ssh_host_key.pub and adding the host names at the front." > >> - if the known_hosts entry should have all fields specified, what's the >> the best way getting the right values? > > make them as they are :) however i think you missunderstand value of > know_hosts > I know that I can use the /etc/ssh/hosts.equiv file, which contains just a host name and optionally a user name in each line, but that's obviously not as secure as using /etc/ssh/known_hosts Now, just what is the script mentioned in the manpage quoted above meant to do? Which of /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub is the best one to use or should I install all three as three successive lines in known_hosts? I use ssh internally and notice that my ~/.ssh/known_hosts only contains the ssh_rsa keys. I suppose a potential host's owner could run sshd, assuming he doesn't use ssh internally, to generate a public key and then e-mail me a copy of the resulting /etc/ssh/ssh_host_rsa_key.pub ? However, that's not totally secure. Is there a better way? -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Colin McKinnon on 14 Jan 2006 15:43 Martin Gregorie wrote: > I'm thinking about setting up remote SSH access through a hole in my > firewall and NAT router. > > I'm happy that I know what I'm doing when it comes to configuring the > router so it forwards the port to the box running sshd. > > I've read the manpages and HOWTOs about this and looked at the open ssh > web site. I think I understand enough to set up remote access apart from > getting the values for the /etc/ssh/known_hosts entries. Getting these > values is scrappily described in all the stuff I've looked at. > So, I'd appreciate advice on hardening sshd: > > - should I use /etc/ssh/known_hosts to limit access to specific > computers? I assume the answer is *yes* > Honestly, for a small system not holding secure data I don't think its worth the effort - by all means restrict the hosts which can connect to port 22 on the machine in its firewall and with appropriate entries for tcp wrappers (man 5 hosts_access). Another step I'd recommend is to only allow ssh logins for users of a specific group (AllowGroups in sshd_config). Definitely don't allow root logins via ssh. > - is it best to identify permitted clients by IP, host name or a > combination of the two? > > - if the client is behind a firewall, I suppose the IP would be > the firewall's external IP. Is this correct? > Not necessarily. > - can the known_hosts entry be just the host ID? > Host ID? C.
From: Dave {Reply Address in.Sig} on 14 Jan 2006 17:10
Martin Gregorie wrote: > Marek Wawro wrote: >> Martin Gregorie wrote: >>> - can the known_hosts entry be just the host ID? >> ??? > /etc/ssh/known_hosts contains the space-separated fields: > > hostnames, bits, exponent, modulus, comment > > the manpage examples are: > closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi > cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= > > which don't really match the required parameters. OK, I can recognise > that the remote computer is identified by both name and IP, but both > examples seem to have ignored one or more parameters. This is not > explained at all in the manpage, apart from the comment that: > I think you're using the wrong file. known_hosts is the file I use with my ssh client to communicate with remote machines. It stores keys for each server to which I connect and validates that it's the same one as last time (re-installing a server causes its keys to change, as does swapping one for another by just changing its hostname/IP address). Are you perhaps after the $HOME/.shosts file? -- Dave mail da ve(a)llondel.org (without the space) http://www.llondel.org So many gadgets, so little time |