Per domain/host options for sshd?
Hi, is there any way to specify certain options for sshd only for some domains or hosts just like you can do it for the openssh client (Host section)? E.g., I would like to restrict the usage of authorized_keys files to certain "trusted" domains and disallow it from other domains. Does anyone know a way to do this? Thanks! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054
On Thursday 03 June 2004 22:50, Frank Steiner wrote:
Your logic is backward on this. Why would you want to force people to use passwords over un-trusted domains, when there is at least some indication that passwords can be guessed by timeing. Authorized keys are sent as a single burst (encrypted) and are inherantly more secure. But to answer your question, I have never heard of such capability. -- _____________________________________ John Andersen
John Andersen wrote:
On Thursday 03 June 2004 22:50, Frank Steiner wrote:
When you have different logins with different passwords, hacking one does not mean that you can login to the other, too. Excpect when you install authorized keys between these two accounts. That's what we want to prevent.
But to answer your question, I have never heard of such capability.
Hmm, likely it must be a hacking solution (different sshd, using sshrc etc.) cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054
On Fri, 2004-06-04 at 13:55, Frank Steiner wrote:
Why don't you set up a TACACS+ serveror Kerberos5 server to handle authentication? Each user can have their own key, but all auth passed to the krb/tac server. On the auth server you can allow/deny access to various accounts/hosts etc, the configuration is limitless. i.e is this user allowed to access this machine - YES/NO is this user allowed to access this account - YES/NO is this user allowed to access this machine from this machine - YES/NO is this user allowed to access this machine from this machine with this account - YES/NO Then, don't every allow anyone direct root access, only for a very very selct few, i.e. you. Setup sudo correctly, because that way you can easily track who does what when and where, couipled with your auth server's logs, all your paranoia will be taken care of as you will be able to trace everything back, I mean everything. B
b@rry.co.za wrote:
Interesting idea. We will setup a kerberos server soon anyway for authentication of NFS, so I guess I could easily extend it a bit... Thanks for that idea! cu, Frank -- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: -4054
On Friday 04 June 2004 03:55, Frank Steiner wrote:
Authorized keys from a hacked machine is only a problem if you create no passphrase when the keys were created. With a passphrase protected authorized key even a hacked machine (or stolen laptop) does not put you at further risk. -- _____________________________________ John Andersen
* Frank Steiner <fsteiner-mail@bio.ifi.lmu.de> [2004-06-04 08:53]:
$ man sshd /AUTHORIZED_KEYS FILE FORMAT But beware: when ther's a way for the corresponding user to modify his ~/.ssh/authorized_keys, he could remove the corresponding entries. So, the best bet would be setting something like AuthorizedKeysFile /etc/ssh/authorized_keys.%u in /etc/ssh/sshd_config. The corresponding user's authorized_keys would then be stored as /etc/ssh/authorized_keys.$USERNAME and due to the permissions of /etc/ssh they wouldn't be writable to the user. -- Wolfram Schlich; Friedhofstr. 8, D-88069 Tettnang; +49-(0)178-SCHLICH
participants (4)
-
b@rry.co.za
-
Frank Steiner
-
John Andersen
-
Wolfram Schlich