Site Navigation

Date:      Sun, 28 Oct 2001 17:36:01 -0500
From:      "Kutulu" <kutulu@kutulu.org>
To:        <freebsd-questions@freebsd.org>
Subject:   Two sshd questions...
Message-ID:  <003901c16000$ee0b0290$88682518@longhill1.md.home.com>

---

next in thread | raw e-mail | index | archive | help

---

This is a multi-part message in MIME format.

------=_NextPart_000_0035_01C15FD7.034140E0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Two (unrelated) questions regarding ssh, and OpenSSH in particular:

1. Is there a way to prevent the ssh client from overriding options in
/etc/ssh/ssh_config?  Specifically, I run a very restricted machine from my
jobsite and only have ssh access allowed for about 5 people.  I'm very
concerned about security here, so I have options like StrictHostKeyChecking
turned on.  However, users can override this with the '-o' option in the ssh
client.  I'm concerned that they will become used to overriding my options
and not pay attention the one time their remote hostkey really is wrong.  Is
there anything I can do to stop this?  Even better, can I permit them to
override only a subset of options?

2. A more 'best practices' questions:  Which is the preferred version of ssh
to be running?  By preferred I'm speaking strictly from a security
standpoint.  Current I have only sshv2 permitted on the server (though
again, the users can force sshv1 in their clients).  Most sites seem to be
running both, but there are a few that only run sshv1 servers.  Whenever I
ask, I hear conflicting reports as to their relative security.  Some people
say sshv2 is more secure, some people say sshv2 is buggy and only sshv1 is
stable, some people complain that DSA isn't as secure as RSA and thus
shouldn't be used.  Trying to track down real facts about this revealed
problem reports of ssh2 daemons running in ssh1 mode, (which is why I turned
that off) but not much else.  Any pointers?

--K


------=_NextPart_000_0035_01C15FD7.034140E0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII3jCCAnww
ggHloAMCAQICAwW08DANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT
FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw
MC44LjMwMB4XDTAxMDkyMjE0MDAxOFoXDTAyMDkyMjE0MDAxOFowQzEfMB0GA1UEAxMWVGhhd3Rl
IEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRa3V0dWx1QGt1dHVsdS5vcmcwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBALuDdLgCHJxCJguCs8IK+K4Fic2MZAbW1CVoIPV1qU/ez9TI
z5Yv4XRDskBUZxFogDSDdYPEGCbNB8Tp7TjwD+n2zAuIuapRMySbs7zQYef/fBd01rqRBmi/A9/v
bPOuKHqOAvbMqWMH2D9hjCH2d3R8cJIoCglhEtyyxm9rOee5AgMBAAGjLjAsMBwGA1UdEQQVMBOB
EWt1dHVsdUBrdXR1bHUub3JnMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAlJ1wNCdT
DYnUEQV9rBeSbJ8lJ1yxSHxwosdb8UzkD3H6AfRJBQQQ/qAIWh9ODW2UjMH5el3RgaZAbPUheG56
bPcKEdb+pGInFz8Rf0Baent6D3OLrvVT1wrJ+qeYuf61DHIAuorD/ZFeN8v3wLtyuuHRkPZmn/1b
JgLc4S2qImIwggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV
MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0
ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw
IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv
bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB
kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD
Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y
8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU
ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp
dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN
AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt
UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2
lhglTWr0ncXDkS+plrgFPFL83eliA0gwggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHR
MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24x
GjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp
Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkq
hkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcN
MjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG
A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2Vy
dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZy
ZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1
KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZ
FKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMB
Af8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVc
CM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx
+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMYIB/jCCAfoCAQEwgZow
gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93
bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE
AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBbTwMAkGBSsOAwIaBQCggbowGAYJ
KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDExMDI4MjIzNjAxWjAjBgkq
hkiG9w0BCQQxFgQUnHpvKbCh1Q44B4TtuDizdQj7xi8wWwYJKoZIhvcNAQkPMU4wTDAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC
ASgwBwYFKw4DAh0wDQYJKoZIhvcNAQEBBQAEgYAJpX0xHN4s+5h3Owen0aNCjWnbC6AplvfixySn
ORRfKyU8N7W+2GK0k8BFpeva7Dov9+lkvypz4OH7ejzux4o4bIebwGXaBivLsgvPswE6iPEe3A5Z
RmHzmzovOsBVLmXGOpWwgvi+Txrj0bYt3lGxbhA/MIc8oIk5qx/5iIrW5AAAAAAAAA==

------=_NextPart_000_0035_01C15FD7.034140E0--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003901c16000$ee0b0290$88682518>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact