From owner-freebsd-questions@FreeBSD.ORG Thu Oct 23 04:29:01 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ABB616A4B3 for ; Thu, 23 Oct 2003 04:29:01 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7680843FBF for ; Thu, 23 Oct 2003 04:28:59 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h9NBSYDK060986 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 23 Oct 2003 12:28:47 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id h9NBSXRM060930; Thu, 23 Oct 2003 12:28:33 +0100 (BST) (envelope-from matthew) Date: Thu, 23 Oct 2003 12:28:33 +0100 From: Matthew Seaman To: Gene Mats Message-ID: <20031023112833.GB39601@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Gene Mats , freebsd-questions@freebsd.org References: <002a01c39909$d6bea6c0$b071cea7@inex> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/WwmFnJnmDyWGHa4" Content-Disposition: inline In-Reply-To: <002a01c39909$d6bea6c0$b071cea7@inex> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: SSHD Host Based Authentication NOT working X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Oct 2003 11:29:01 -0000 --/WwmFnJnmDyWGHa4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 22, 2003 at 10:03:23PM -0400, Gene Mats wrote: > Hello,=20 >=20 > I am having a problem with activating SSHD Host Based Authentication on > my=20 > FreeBSD OS. Below is my /etc/ssh/sshd_config file. >=20 > HostbasedAuthentication yes > PermitRootLogin no > VerifyReverseMapping yes > IgnoreRhosts yes > IgnoreUserKnownHosts yes >=20 > My /etc/hosts.equiv and /etc/shosts.equiv have a few specific hostnames. > But=20 > it seems I can still connect from any host -(. >=20 > How can I block ALL hosts access to my SSHD. I tried putting in a minus= =20 > minus in the /etc/hosts.equiv and /etc/shosts.equiv and I have the=20 > HostbasedAuthentication setting turned to up to yes. Still no success. >=20 > Any help would be appreciated. Yes -- {,s}hosts.equiv don't control what hosts you can connect from, only what hosts will be allowed to bypass the usual authentication step. To prevent remote hosts connecting to your sshd(8), you can use tcpwrappers (/etc/hosts.allow) or you can set up a firewall to filter incoming packets to port 22. Do you really need to use host based access control? It is not generally recommended nowadays -- too many possibilites for spoofing or other nastyness unless you really know what you're doing and the rest of your network infrastructure is pretty bullet proof. It's generally held to be preferable to use key based authentication -- these can be passwordless keys for unattended oporation, and you should make full use of the features of the ~/.ssh/authorized_keys file that limit what hosts may connect and what commands they run using any particular key. Cheers, Matthew=09 --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --/WwmFnJnmDyWGHa4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/l7thdtESqEQa7a0RAvfKAJ4nUGOqOhbRxyThHSETIt/PJ4+43QCfczbg ibedg/SEenhi8q3R9CRzfCk= =GCdd -----END PGP SIGNATURE----- --/WwmFnJnmDyWGHa4--