From owner-freebsd-questions Sun Oct 28 14:40:46 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id 1EFC137B405 for ; Sun, 28 Oct 2001 14:40:40 -0800 (PST) Received: from cc191573g (kutulu@cc191573-g.longhill1.md.home.com [24.37.104.136]) by pr0n.kutulu.org (8.11.6/8.11.6) with SMTP id f9SMebR68785 for ; Sun, 28 Oct 2001 17:40:38 -0500 (EST) (envelope-from kutulu@kutulu.org) Message-ID: <003901c16000$ee0b0290$88682518@longhill1.md.home.com> From: "Kutulu" To: Subject: Two sshd questions... Date: Sun, 28 Oct 2001 17:36:01 -0500 MIME-Version: 1.0 Content-Type: multipart/signed; boundary="----=_NextPart_000_0035_01C15FD7.034140E0"; protocol="application/x-pkcs7-signature"; micalg=SHA1 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This is a multi-part message in MIME format. ------=_NextPart_000_0035_01C15FD7.034140E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Two (unrelated) questions regarding ssh, and OpenSSH in particular: 1. Is there a way to prevent the ssh client from overriding options in /etc/ssh/ssh_config? Specifically, I run a very restricted machine from my jobsite and only have ssh access allowed for about 5 people. I'm very concerned about security here, so I have options like StrictHostKeyChecking turned on. However, users can override this with the '-o' option in the ssh client. I'm concerned that they will become used to overriding my options and not pay attention the one time their remote hostkey really is wrong. Is there anything I can do to stop this? Even better, can I permit them to override only a subset of options? 2. A more 'best practices' questions: Which is the preferred version of ssh to be running? By preferred I'm speaking strictly from a security standpoint. Current I have only sshv2 permitted on the server (though again, the users can force sshv1 in their clients). Most sites seem to be running both, but there are a few that only run sshv1 servers. Whenever I ask, I hear conflicting reports as to their relative security. Some people say sshv2 is more secure, some people say sshv2 is buggy and only sshv1 is stable, some people complain that DSA isn't as secure as RSA and thus shouldn't be used. Trying to track down real facts about this revealed problem reports of ssh2 daemons running in ssh1 mode, (which is why I turned that off) but not much else. Any pointers? --K ------=_NextPart_000_0035_01C15FD7.034140E0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII3jCCAnww ggHloAMCAQICAwW08DANBgkqhkiG9w0BAQIFADCBkjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl c3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsT FENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAw MC44LjMwMB4XDTAxMDkyMjE0MDAxOFoXDTAyMDkyMjE0MDAxOFowQzEfMB0GA1UEAxMWVGhhd3Rl IEZyZWVtYWlsIE1lbWJlcjEgMB4GCSqGSIb3DQEJARYRa3V0dWx1QGt1dHVsdS5vcmcwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBALuDdLgCHJxCJguCs8IK+K4Fic2MZAbW1CVoIPV1qU/ez9TI z5Yv4XRDskBUZxFogDSDdYPEGCbNB8Tp7TjwD+n2zAuIuapRMySbs7zQYef/fBd01rqRBmi/A9/v bPOuKHqOAvbMqWMH2D9hjCH2d3R8cJIoCglhEtyyxm9rOee5AgMBAAGjLjAsMBwGA1UdEQQVMBOB EWt1dHVsdUBrdXR1bHUub3JnMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQECBQADgYEAlJ1wNCdT DYnUEQV9rBeSbJ8lJ1yxSHxwosdb8UzkD3H6AfRJBQQQ/qAIWh9ODW2UjMH5el3RgaZAbPUheG56 bPcKEdb+pGInFz8Rf0Baent6D3OLrvVT1wrJ+qeYuf61DHIAuorD/ZFeN8v3wLtyuuHRkPZmn/1b JgLc4S2qImIwggMpMIICkqADAgECAgEMMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0 ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQw IgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNv bmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDAwODMwMDAwMDAwWhcNMDIwODI5MjM1OTU5WjCB kjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du MQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQD Ex9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMjAwMC44LjMwMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB iQKBgQDeMzKmY8cJJUU+0m54J2eBxdqIGYKXDuNEKYpjNSptcDz63K737nRvMLwzkH/5NHGgo22Y 8cNPomXbDfpL8dbdYaX5hc1VmjUanZJ1qCeu2HL5ugL217CR3hzpq+AYA6h8Q0JQUYeDPPA5tJtU ihOH/7ObnUlmAC0JieyUa+mhaQIDAQABo04wTDApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJp dmF0ZUxhYmVsMS0yOTcwEgYDVR0TAQH/BAgwBgEB/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcN AQEEBQADgYEAcxtvJmWL/xU0S1liiu1EvknH6A27j7kNaiYqYoQfuIdjdBxtt88aU5FL4c3mONnt UPQ6bDSSrOaSnG7BIwHCCafvS65y3QZn9VBvLli4tgvBUFe17BzX7xe21Yibt6KIGu05Wzl9NPy2 lhglTWr0ncXDkS+plrgFPFL83eliA0gwggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHR MQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24x GjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZp Y2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkq hkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcN MjAxMjMxMjM1OTU5WjCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2Vy dGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZy ZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGf MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1 KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZkGsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZ FKNdbnp8DKVLVX8GGSl/npom1Wq7OCQIapjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMB Af8EBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVc CM8w+6hKloofYkIjjBcP9LpknBesRynfnZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx +NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+pquKB3WLDN1RhGvk+NHOd6KBMYIB/jCCAfoCAQEwgZow gZIxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93 bjEPMA0GA1UEChMGVGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UE AxMfUGVyc29uYWwgRnJlZW1haWwgUlNBIDIwMDAuOC4zMAIDBbTwMAkGBSsOAwIaBQCggbowGAYJ KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDExMDI4MjIzNjAxWjAjBgkq hkiG9w0BCQQxFgQUnHpvKbCh1Q44B4TtuDizdQj7xi8wWwYJKoZIhvcNAQkPMU4wTDAKBggqhkiG 9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwIC ASgwBwYFKw4DAh0wDQYJKoZIhvcNAQEBBQAEgYAJpX0xHN4s+5h3Owen0aNCjWnbC6AplvfixySn ORRfKyU8N7W+2GK0k8BFpeva7Dov9+lkvypz4OH7ejzux4o4bIebwGXaBivLsgvPswE6iPEe3A5Z RmHzmzovOsBVLmXGOpWwgvi+Txrj0bYt3lGxbhA/MIc8oIk5qx/5iIrW5AAAAAAAAA== ------=_NextPart_000_0035_01C15FD7.034140E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message