Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Another solution would be to use tacacs+ with s/key as an authentication and authorization mechanism. Everyone that is succesfully authenticated by your tacacs+ server after supplying his one time password, could gain access to the ssh service of your machine. This way you dont need to configure dynamic dns resolutions. I also think the ssh daemon has some support for s/key. This could help a bit. I think public keys are all right, they add a great deal in security, but you'll have to force all users to get their keys. Now, depending on your users level of cooperation and knowledge this might be quite a task. And then you'll have to add their public keys in their home directories (which means that you have found a secure way of obtaining the keys from the users) and sometimes even modify them in order for your ssh daemon to read them properly. One could argue that you could let the users login using their password and then install themselves the public keys. But again, how many of your users are able to succesfully fulfill this installation? However, you could perhaps generate yourself the keys, install them and then deliver them (you still need a secure way of delivering). ~kmag p.s. At the end, maybe its just me, with a bad experience with users :-)
Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Another solution would be to use tacacs+ with s/key as an authentication and authorization mechanism. Everyone that is succesfully authenticated by your tacacs+ server after supplying his one time password, could gain access to the ssh service of your machine. This way you dont need to configure dynamic dns resolutions. I also think the ssh daemon has some support for s/key. This could help a bit. I think public keys are all right, they add a great deal in security, but you'll have to force all users to get their keys. Now, depending on your users level of cooperation and knowledge this might be quite a task. And then you'll have to add their public keys in their home directories (which means that you have found a secure way of obtaining the keys from the users) and sometimes even modify them in order for your ssh daemon to read them properly. One could argue that you could let the users login using their password and then install themselves the public keys. But again, how many of your users are able to succesfully fulfill this installation? However, you could perhaps generate yourself the keys, install them and then deliver them (you still need a secure way of delivering). ~kmag p.s. At the end, maybe its just me, with a bad experience with users :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
(I'm replying to the list, hope you don't mind.) On Thu, Jul 10, 2003 at 01:52:13PM +0200, Christian Kurz wrote: > On [09/07/03 16:12], Peter Cordes wrote: > > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > > > Le 12240i?me jour apr?s Epoch, > > > Mario Ohnewald ?crivait: > > > > I think this problem should not be solved with configuring sshd. > > > > Wrong... You can configure sshd to accept only login from recognized keys, > > > and let the firewall open. > > > If there is an exploitable bug in that code, you're screwed, and the whole > > world can crack your machine. It's not really a problem to allow ssh access > > Well, that's not only the case for sshd, but for any daemon with network > access and that is running on the host. So even if with a secure sshd > daemon, it's possible that another daemon running on the host has an > exploitable bug and is used to crack the machine. That's no reason not to take a few simple steps to add some extra security to sshd. > > from the whole world, execpt when there's a problem with ssh. What you > > When has there been such a problem with ssh and ssh-v2 keys? I don't always use keys. I sometimes want to log in from a friend's computer (that I wouldn't want to leave an ssh private key lying around on), or from a computer lab. You never know where there might be bugs (unless you have seriously analyzed the code, and are _sure_ you did it right, but that's not the case for me...). > Also > may I ask if you are aware about privilege seperation, ensuring that > operations needing root access are handled in a seperate privileged > monitor process? (http://www.citi.umich.edu/u/provos/ssh/privsep.html) Yeah, I know about that. It's another layer of security, just like what I do with only allowing connections from a few IP blocks. > > should try to do is limit the chance people have to crack your machine > > before you can do something about it. By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > But it's questionable if it's always possible to allow connections only > from a handpicked amount of IPs/IP address blocks or not. Also it still > leaves with you the possibility that a cracker cracks one of the > machines being in the allowed IP space and using that machine to crack > your system. I think it should be careful evaluated if the advantages of > restricting access to a well defined IP space are worth the effort or > not. Of course it's not always possible. If it is possible, and not too much effort to identify the IP blocks, then it might be worth doing for some people. It's an extra layer of security. It's not something to be relied on to keep you safe, it's just something that makes it even more difficult for the bad guys. If it's too much work, or the chance of causing inconvenience outweighs the (probably small, given the good security record of ssh) benefits, then don't do it. In my case, there are no significant disadvantages. I have an account on a computer that does allow ssh from anywhere, so if I need to ssh to my machine from an IP the my sshd doesn't allow, I can go through the other machine. I'm _not_ saying this is something that everyone has to do. I'm just saying that it might help a bit, and is something I do. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: configure ssh-access
(I'm replying to the list, hope you don't mind.) On Thu, Jul 10, 2003 at 01:52:13PM +0200, Christian Kurz wrote: > On [09/07/03 16:12], Peter Cordes wrote: > > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > > > Le 12240i?me jour apr?s Epoch, > > > Mario Ohnewald ?crivait: > > > > I think this problem should not be solved with configuring sshd. > > > > Wrong... You can configure sshd to accept only login from recognized keys, > > > and let the firewall open. > > > If there is an exploitable bug in that code, you're screwed, and the whole > > world can crack your machine. It's not really a problem to allow ssh access > > Well, that's not only the case for sshd, but for any daemon with network > access and that is running on the host. So even if with a secure sshd > daemon, it's possible that another daemon running on the host has an > exploitable bug and is used to crack the machine. That's no reason not to take a few simple steps to add some extra security to sshd. > > from the whole world, execpt when there's a problem with ssh. What you > > When has there been such a problem with ssh and ssh-v2 keys? I don't always use keys. I sometimes want to log in from a friend's computer (that I wouldn't want to leave an ssh private key lying around on), or from a computer lab. You never know where there might be bugs (unless you have seriously analyzed the code, and are _sure_ you did it right, but that's not the case for me...). > Also > may I ask if you are aware about privilege seperation, ensuring that > operations needing root access are handled in a seperate privileged > monitor process? (http://www.citi.umich.edu/u/provos/ssh/privsep.html) Yeah, I know about that. It's another layer of security, just like what I do with only allowing connections from a few IP blocks. > > should try to do is limit the chance people have to crack your machine > > before you can do something about it. By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > But it's questionable if it's always possible to allow connections only > from a handpicked amount of IPs/IP address blocks or not. Also it still > leaves with you the possibility that a cracker cracks one of the > machines being in the allowed IP space and using that machine to crack > your system. I think it should be careful evaluated if the advantages of > restricting access to a well defined IP space are worth the effort or > not. Of course it's not always possible. If it is possible, and not too much effort to identify the IP blocks, then it might be worth doing for some people. It's an extra layer of security. It's not something to be relied on to keep you safe, it's just something that makes it even more difficult for the bad guys. If it's too much work, or the chance of causing inconvenience outweighs the (probably small, given the good security record of ssh) benefits, then don't do it. In my case, there are no significant disadvantages. I have an account on a computer that does allow ssh from anywhere, so if I need to ssh to my machine from an IP the my sshd doesn't allow, I can go through the other machine. I'm _not_ saying this is something that everyone has to do. I'm just saying that it might help a bit, and is something I do. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Hi, On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote: > > By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > tradeoff between security and convenience. > > Even with fake/forged IP's ? SSH is TCP-based. IP spoofing on the internet is very hard to do. > You can also imagine a knoking (? toc toc toc) mechanism: One ping, > followed by two telnet packets, then 4 ftp or whatever packets, and > then your ip is allowed to try a ssh connection... This is security by obscurity. Approaches like this have been discussed on this list before. It is the somewhat convoluted equivalent of a plaintext password authentication scheme layered on top of SSH. Regards, uLI
Re: configure ssh-access
Le 12242ième jour après Epoch, Peter Cordes écrivait: > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: >> Le 12240i?me jour apr?s Epoch, >> Mario Ohnewald ?crivait: >> > I think this problem should not be solved with configuring sshd. >> >> Wrong... You can configure sshd to accept only login from recognized keys, >> and let the firewall open. > > If there is an exploitable bug in that code, you're screwed, and the whole > world can crack your machine. Yes, sure. And if the ip stack has a bug, your machine is open worldwide. And if your door is buggy, then anybody can enter... I think original post is: "Suppose there is no bugs in life, how can authorize access from recognized people" ... And so the good response is "Use keys"... > It's not really a problem to allow ssh access > from the whole world, execpt when there's a problem with ssh. What you > should try to do is limit the chance people have to crack your machine > before you can do something about it. Yes, I agree, but if you want to access a box through network, there is *always* a risk if washi or washa has a hole, and an exploit is published. > By allowing connections from only a > few IP address blocks, you cut out most of the crackers in the world, but > don't have to mess with dynamic DNS and lack of reverse lookup; A good > tradeoff between security and convenience. Even with fake/forged IP's ? Anyway, you can/be paranoid with your machine, but there is always solutions to enter into these kind of machines. Actually, there is no known bug in ssh V2 using key authentification. This is the more easy solution. You can also imagine a knoking (? toc toc toc) mechanism: One ping, followed by two telnet packets, then 4 ftp or whatever packets, and then your ip is allowed to try a ssh connection... Bon courage ;) -- "Jesus saves...but Gretzky gets the rebound!" -- Daniel Hinojosa ([EMAIL PROTECTED]) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: configure ssh-access
Hi, On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote: > > By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > tradeoff between security and convenience. > > Even with fake/forged IP's ? SSH is TCP-based. IP spoofing on the internet is very hard to do. > You can also imagine a knoking (? toc toc toc) mechanism: One ping, > followed by two telnet packets, then 4 ftp or whatever packets, and > then your ip is allowed to try a ssh connection... This is security by obscurity. Approaches like this have been discussed on this list before. It is the somewhat convoluted equivalent of a plaintext password authentication scheme layered on top of SSH. Regards, uLI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Le 12242ième jour après Epoch, Peter Cordes écrivait: > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: >> Le 12240i?me jour apr?s Epoch, >> Mario Ohnewald ?crivait: >> > I think this problem should not be solved with configuring sshd. >> >> Wrong... You can configure sshd to accept only login from recognized keys, >> and let the firewall open. > > If there is an exploitable bug in that code, you're screwed, and the whole > world can crack your machine. Yes, sure. And if the ip stack has a bug, your machine is open worldwide. And if your door is buggy, then anybody can enter... I think original post is: "Suppose there is no bugs in life, how can authorize access from recognized people" ... And so the good response is "Use keys"... > It's not really a problem to allow ssh access > from the whole world, execpt when there's a problem with ssh. What you > should try to do is limit the chance people have to crack your machine > before you can do something about it. Yes, I agree, but if you want to access a box through network, there is *always* a risk if washi or washa has a hole, and an exploit is published. > By allowing connections from only a > few IP address blocks, you cut out most of the crackers in the world, but > don't have to mess with dynamic DNS and lack of reverse lookup; A good > tradeoff between security and convenience. Even with fake/forged IP's ? Anyway, you can/be paranoid with your machine, but there is always solutions to enter into these kind of machines. Actually, there is no known bug in ssh V2 using key authentification. This is the more easy solution. You can also imagine a knoking (? toc toc toc) mechanism: One ping, followed by two telnet packets, then 4 ftp or whatever packets, and then your ip is allowed to try a ssh connection... Bon courage ;) -- "Jesus saves...but Gretzky gets the rebound!" -- Daniel Hinojosa ([EMAIL PROTECTED]) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > Le 12240i?me jour apr?s Epoch, > Mario Ohnewald ?crivait: > > I think this problem should not be solved with configuring sshd. > > Wrong... You can configure sshd to accept only login from recognized keys, > and let the firewall open. If there is an exploitable bug in that code, you're screwed, and the whole world can crack your machine. It's not really a problem to allow ssh access from the whole world, execpt when there's a problem with ssh. What you should try to do is limit the chance people have to crack your machine before you can do something about it. By allowing connections from only a few IP address blocks, you cut out most of the crackers in the world, but don't have to mess with dynamic DNS and lack of reverse lookup; A good tradeoff between security and convenience. I suppose filtering with iptables is really the way to do it, but using ssh's built-in AllowUsers is still at least somewhat useful. I don't know how much code in sshd runs before AllowUsers is checked, but I hope not too much, so as to minimize the risk of bugs. > > I solved it with iptables script which resolv my dynamic host every 5mins, > > and then reload the firewall if needed. > > So, on some case, you must wait 5 mins to connect ? Yeah, I agree that this is going too far, unless you are trying to protect secrets that require armed guards in the real world, to back up the extreme paranoia in the virtual world. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? If you know what ISP the people you want to allow are using, you can find out what IP address blocks they have, and allow those blocks. For example, my sshd allows connections from, among other things, *@:::24.222.*. (It listens on ipv6, so v4 connections are seen as coming from v4-mapped addresses.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: configure ssh-access
On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > Le 12240i?me jour apr?s Epoch, > Mario Ohnewald ?crivait: > > I think this problem should not be solved with configuring sshd. > > Wrong... You can configure sshd to accept only login from recognized keys, > and let the firewall open. If there is an exploitable bug in that code, you're screwed, and the whole world can crack your machine. It's not really a problem to allow ssh access from the whole world, execpt when there's a problem with ssh. What you should try to do is limit the chance people have to crack your machine before you can do something about it. By allowing connections from only a few IP address blocks, you cut out most of the crackers in the world, but don't have to mess with dynamic DNS and lack of reverse lookup; A good tradeoff between security and convenience. I suppose filtering with iptables is really the way to do it, but using ssh's built-in AllowUsers is still at least somewhat useful. I don't know how much code in sshd runs before AllowUsers is checked, but I hope not too much, so as to minimize the risk of bugs. > > I solved it with iptables script which resolv my dynamic host every 5mins, > > and then reload the firewall if needed. > > So, on some case, you must wait 5 mins to connect ? Yeah, I agree that this is going too far, unless you are trying to protect secrets that require armed guards in the real world, to back up the extreme paranoia in the virtual world. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? If you know what ISP the people you want to allow are using, you can find out what IP address blocks they have, and allow those blocks. For example, my sshd allows connections from, among other things, *@:::24.222.*. (It listens on ipv6, so v4 connections are seen as coming from v4-mapped addresses.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Hi. I use this line: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh.deny.login onerr=succeed in /etc/pam.d/ssh I then restrict users from logging in which i define in ssh.deny.login Maybe you can tweak a bit and have a script getting updated ip-adresses for your hosts? I dont know if pam can make use of it, just a suggestion. Kenneth
Re: configure ssh-access
[EMAIL PROTECTED] wrote: Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus Hi. I use this line: auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh.deny.login onerr=succeed in /etc/pam.d/ssh I then restrict users from logging in which i define in ssh.deny.login Maybe you can tweak a bit and have a script getting updated ip-adresses for your hosts? I dont know if pam can make use of it, just a suggestion. Kenneth -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Le 12240ième jour après Epoch, Mario Ohnewald écrivait: > Hello! > >>-Original Message- >>From: Anne Carasik [mailto:[EMAIL PROTECTED] >>Sent: Monday, July 07, 2003 5:05 PM >>To: [EMAIL PROTECTED] >>Cc: debian-security@lists.debian.org >>Subject: Re: configure ssh-access >> >> >>Why not just limit the access through SSH public key? >>It sounds like that would accomplish what you're trying >>to do. > > I think this problem should not be solved with configuring sshd. Wrong... You can configure sshd to accept only login from recognized keys, and let the firewall open. > I solved it with iptables script which resolv my dynamic host every 5mins, > and then reload the firewall if needed. So, on some case, you must wait 5 mins to connect ? > A ssh solution has the disadvantage that if it is buggy, a sshd config > change might not save your box from unallowed access. That is my i block my > ssh daemon, cause the posibility is there that there might be a ssh exploit > soon ;) And what if dynamic host not correctly set ? Somebody getting your previous IP have 5 mins to accomplish some weird job. And it's 4.9 mins more than needed :) -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. (from David Vicker's .plan) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: configure ssh-access
Le 12240ième jour après Epoch, Mario Ohnewald écrivait: > Hello! > >>-Original Message- >>From: Anne Carasik [mailto:[EMAIL PROTECTED] >>Sent: Monday, July 07, 2003 5:05 PM >>To: [EMAIL PROTECTED] >>Cc: [EMAIL PROTECTED] >>Subject: Re: configure ssh-access >> >> >>Why not just limit the access through SSH public key? >>It sounds like that would accomplish what you're trying >>to do. > > I think this problem should not be solved with configuring sshd. Wrong... You can configure sshd to accept only login from recognized keys, and let the firewall open. > I solved it with iptables script which resolv my dynamic host every 5mins, > and then reload the firewall if needed. So, on some case, you must wait 5 mins to connect ? > A ssh solution has the disadvantage that if it is buggy, a sshd config > change might not save your box from unallowed access. That is my i block my > ssh daemon, cause the posibility is there that there might be a ssh exploit > soon ;) And what if dynamic host not correctly set ? Somebody getting your previous IP have 5 mins to accomplish some weird job. And it's 4.9 mins more than needed :) -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. (from David Vicker's .plan) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: configure ssh-access
Hello! >-Original Message- >From: Anne Carasik [mailto:[EMAIL PROTECTED] >Sent: Monday, July 07, 2003 5:05 PM >To: [EMAIL PROTECTED] >Cc: debian-security@lists.debian.org >Subject: Re: configure ssh-access > > >Why not just limit the access through SSH public key? >It sounds like that would accomplish what you're trying >to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario > >-Anne > >[EMAIL PROTECTED] grabbed a keyboard and typed... >> Hi! >> >> I want to make ssh-access possible only from a restricted >> number of hosts - those that are named in /etc/hosts.allow. >> Users who want to login have a DynDNS host-name that shall >> be listed in hosts.allow to make it possible for users with >> a dial-up internet connection, too. >> >> BUT: >> The problem is that I can only login to the ssh-machine >> when I enter the IP-address to the hosts.allow file. >> Specifying the hosts DNS-name does not work! >> >> AND: >> I'd prefer to specify the rules for loggin into the machine >> in the sshd_config-file, not in hosts.allow/deny. >> But the AllowHosts/DenyHosts-options that could be used in >> /etc/sshd_config earlier seem to be not any >> longer available at the SSH-version I'm using. >> It's: openssh-3.4p1-80 on a SuSE 8.1 >> >> Has anybody ideas in this 2 problems? >> >> thx in advance, >> Klaus >>
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? > > thx in advance, > Klaus > > > > -- > Klaus Siegesleitner - [EMAIL PROTECTED] > SysAdmin at CAME (Center of Applied Molecular Engineering) > University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgpp9eUBMFMTt.pgp Description: PGP signature
RE: configure ssh-access
Hello! >-Original Message- >From: Anne Carasik [mailto:[EMAIL PROTECTED] >Sent: Monday, July 07, 2003 5:05 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: configure ssh-access > > >Why not just limit the access through SSH public key? >It sounds like that would accomplish what you're trying >to do. I think this problem should not be solved with configuring sshd. I solved it with iptables script which resolv my dynamic host every 5mins, and then reload the firewall if needed. A ssh solution has the disadvantage that if it is buggy, a sshd config change might not save your box from unallowed access. That is my i block my ssh daemon, cause the posibility is there that there might be a ssh exploit soon ;) In my eyes a combination of a sshd config solution and a iptables rule would properly do its joy quite safely. Yours, Mario > >-Anne > >[EMAIL PROTECTED] grabbed a keyboard and typed... >> Hi! >> >> I want to make ssh-access possible only from a restricted >> number of hosts - those that are named in /etc/hosts.allow. >> Users who want to login have a DynDNS host-name that shall >> be listed in hosts.allow to make it possible for users with >> a dial-up internet connection, too. >> >> BUT: >> The problem is that I can only login to the ssh-machine >> when I enter the IP-address to the hosts.allow file. >> Specifying the hosts DNS-name does not work! >> >> AND: >> I'd prefer to specify the rules for loggin into the machine >> in the sshd_config-file, not in hosts.allow/deny. >> But the AllowHosts/DenyHosts-options that could be used in >> /etc/sshd_config earlier seem to be not any >> longer available at the SSH-version I'm using. >> It's: openssh-3.4p1-80 on a SuSE 8.1 >> >> Has anybody ideas in this 2 problems? >> >> thx in advance, >> Klaus >> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Why not just limit the access through SSH public key? It sounds like that would accomplish what you're trying to do. -Anne [EMAIL PROTECTED] grabbed a keyboard and typed... > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? > > thx in advance, > Klaus > > > > -- > Klaus Siegesleitner - [EMAIL PROTECTED] > SysAdmin at CAME (Center of Applied Molecular Engineering) > University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- .-"".__."``". Anne Carasik, System Administrator .-.--. _...' (/) (/) ``' gator at cacr dot caltech dot edu (O/ O) \-' ` -="""=.', Center for Advanced Computing Research ~`~~ pgp0.pgp Description: PGP signature
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever
Re: configure ssh-access
On Mon, 7 Jul 2003 11:08:38 +0200, [EMAIL PROTECTED] wrote: >The problem is that I can only login to the ssh-machine >when I enter the IP-address to the hosts.allow file. >Specifying the hosts DNS-name does not work! Thats probably because it does a reverse lookup on the connecting ip to see if it matches. It would need to look up every hostname in hosts.allow on each incoming connection to match a dynamic dns name. If you see what I mean. >Has anybody ideas in this 2 problems? You could do what I do, allow anyone to connect but allow only public key authentication (and protocol 2). Alan.
configure ssh-access
Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 It's there, except that this option has been generalized a bit. Try ``AllowUsers [EMAIL PROTECTED]'' The man says: If the pattern takes the form [EMAIL PROTECTED] then USER and HOST are separately checked, restricting logins to particular users from particular hosts. I think it'll solve your problem. bit, adam -- 1024D/37B8D989 954B 998A E5F5 BA2A 3622 82DD 54C2 843D 37B8 D989 finger://[EMAIL PROTECTED] | Some days, my soul's confined http://www.keyserver.net | And out of mind Sleep forever -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, 7 Jul 2003 11:08:38 +0200, [EMAIL PROTECTED] wrote: >The problem is that I can only login to the ssh-machine >when I enter the IP-address to the hosts.allow file. >Specifying the hosts DNS-name does not work! Thats probably because it does a reverse lookup on the connecting ip to see if it matches. It would need to look up every hostname in hosts.allow on each incoming connection to match a dynamic dns name. If you see what I mean. >Has anybody ideas in this 2 problems? You could do what I do, allow anyone to connect but allow only public key authentication (and protocol 2). Alan. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
configure ssh-access
Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny. But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1 Has anybody ideas in this 2 problems? thx in advance, Klaus -- Klaus Siegesleitner - [EMAIL PROTECTED] SysAdmin at CAME (Center of Applied Molecular Engineering) University of Salzburg, Jakob-Haringerstrasse 5, A-5020 Salzburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]