Date: 19 Oct 2005 09:16:55 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Olaf Greve <o.greve@axis.nl> Cc: freebsd-questions@freebsd.org Subject: Re: Proper SSH set-up Message-ID: <44wtk9y7co.fsf@be-well.ilk.org> In-Reply-To: <4354BD8F.7040308@axis.nl> References: <20051018052432.GA11190@symonds.net> <20051018054617.GA12063@symonds.net> <4354BD8F.7040308@axis.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Olaf Greve <o.greve@axis.nl> writes: > Hi all, > > I have some probably straightforward questions regarding SSH, and I > couldn't find the answers to all of them using Google, so I hope > someone can provide me with them. :) > > The situation: > Last week I added a second (fall-back) server next to my life server, > and I want to automate down-syncing from the life server to the > fall-back machine. Both machines have an "outside world" connection > via one NIC, and both are connected to one another directly via a > cross-wire, on a second NIC, on a local 192.168.1.x net. The files get > synced using rsync (over the 192.168.1.x net, of course), and I also > have prepared a script for dumping the MySQL tables on the live > server, and pushing them into the fall-back server over an SSH tunnel > (again: on the 192.168.1.x net). > > My questions mainly concern this last step, as well as general SSH > set-up questions. > > The questions: > 1-Which key types are better/preferred: RSA or DSA? For default-sized keys, the differences are unimportant. If you use longer key lengths (over 1280 bits, I think), DSA doesn't improve security, but RSA does. > 2-If I generate an RSA or DSA key on my fall-back server without a > pass-phrase, and allow root access from the life server only (by > stating something like AllowUsers root@192.168.1.1 in sshd_config on > the fall-back machine), will that somehow compromise the general SSH > security of the fall-back machine (as no pass-phrase is then used), > for outside world connections? You can limit the key's use so that it shouldn't compromise your security, but it's always possible that a bug or a mistake on your part will open up the machine unintentionally. I feel safer not allowing remote privileged access to my machines at all. > 3-I'm considering enforcing very strict SSH access. Will adding a line > to sshd_config like: "AllowUsers root@192.168.1.1 olaf eric" force SSH > to ONLY allow those three users (and no other ones), with root only > allowed from 192.168.1.1, and the other two users from anywhere in the > world? It's supposed to. I haven't tested it lately; try an experiment. > 4-If I add an RSA/DSA key of the life server only to the > authorized_keys files on the fall-back server, will SSH still allow me > to connect to it using e.g. the user olaf with password authentication > from anywhere in the world, or will that one then be locked out until > I add the key of each and every machine I need access from to the > authorized_keys file? In the default configuration, you will still be able to log in with your user account. Also consider limiting the passphraseless key: the sshd(8) manual page describes a number of limitations you can put in the authorized_keys file for this purpose. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44wtk9y7co.fsf>