Hi All How set the sshd to only allow access to one local account only. And if some option is commented out in the sshd_config does it use the default option? What exploits are there for the "UseLogin" option? e.g.. #UseLogin no Thanks in advance Steven
Hi Steven,
How set the sshd to only allow access to one local account only. AllowUsers foo
And if some option is commented out in the sshd_config does it use the default option? SSHD has to, what else should it use ...
What exploits are there for the "UseLogin" option? e.g.. #UseLogin no UseLogin allows one to do a "ssh foo" and then enter the password. If you disallow login you need to have a authorised key. Since you can limit the computers which can connect to computers (~/.ssh/authorised__key) from=bar it provides extra security. Whether this is more secure depends on who knows the accounts password, who can have access to authorised_key and who to the master key on the other computer.
* * * A not that uncommon setup is for remote administration of larger unix pools is: - run an extra sshd - allow root login (only root) - disallow login - using a ~/.ssh/authorised_key which allows only the main severs /root/.ssh/foo key to login. Tobias -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man.
Hi, On Monday 04 February 2002 13:54, Tobias Burnus wrote:
Hi Steven,
And if some option is commented out in the sshd_config does it use the default option?
SSHD has to, what else should it use ...
What exploits are there for the "UseLogin" option? e.g.. #UseLogin no
UseLogin allows one to do a "ssh foo" and then enter the password. If you disallow login you need to have a authorised key.
Sorry, but this is not quite correct. You are mistaking "UseLogin" for "PasswordAuthentication". "UseLogin" means to use the OS supplied external login (/bin/login) for authentication. "man sshd" is your friend. For vulnerability info on "UseLogin" see http://www.suse.com/de/support/security/2001_045_openssh_txt.html, Note that "UseLogin yes" ( _not_ default ) also means you are inheriting all security holes of login, see e.g. http://www.suse.com/de/support/security/2001_034_shadow_txt.html. Many vendors, including SuSE, Sun etc. have issued patches for login.
Tobias
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
Many vendors, including SuSE, Sun etc. have issued patches for login.
This is correct, yes. If you want to make logins possible for only one (or more) account(s), then use the option "AllowUsers" and/or "DenyUsers". Example: AllowUsers draht root will grant access for the users draht and root only. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
participants (4)
-
Martin Leweling -
Roman Drahtmueller -
Steven Thompson -
Tobias Burnus