Date: Fri, 02 Jul 1999 20:12:59 -0700 From: "Robert Sowders" <rsowders@usgs.gov> To: cjclark@home.com Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH Working Like rsh Message-ID: <s77d1d5b.002@usgs.gov>
next in thread | raw e-mail | index | archive | help
I am guilty of being wordy at times but it's good for the new people on the list who might be having=20 the same problem. A good resource for ssh questions is http://www.employees.org/~satch/ssh/faq/ If you want to try something else that's got=20 secure ftp look to my good buddies at stanford.edu http://srp.stanford.edu/srp/ Other resources http://ns.uoregon.edu/pgpssh/sshstart.html#public-key-crypto http://www.tor.shaw.wave.ca/~unix/linux/tcpd.html To answer your question, YES, rsa-based host authentication is more secure than rhosts authentication. Nest quesiton, unless you specify in sshd_config to not allow root logins, then any user may use=20 the -l switch and login as any user including root=20 if they know the password. Then if they have their=20 DNS setup correctly (reverse name lookup), and=20 they are allowed or just not denied via tcpwrappers,=20 and they know the password, they're in. Ssh just tries to verify that the machine you're connecting from is who it says it is, and the machine you're connecting to, is who it says it is, before connecting and doing encrypted password transfers. You can setup tcpwrappers to deny connections=20 via individual protocols and limit connections via=20 ssh to only a few ips or domains or users, but I=20 haven't played with it much other than to deny=20 everyone outside my domain. You might try using rdist with ssh if your trying to keep something in sync. >>> "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> 7/1/99 1:37:55 = PM >>> Robert Sowders wrote, [snip some good step-by-step directions, but directrions for stuff I presonally had already figured out.] > If you would like to do password less logins with > RSA passphrase then you will need to do the=20 > following. Be aware that the scary statements > about null passphrased private key are there for a=20 > good reason. If someone can steal your key or copy=20 > it then they will have root on the receiving machine > with no questions asked, but to do this from any=20 > machine other than the one they stole it from is very=20 > difficult and again they would have to have a toehold=20 > on your machine to start with. > So Caveot Emptor. OK, I guess this is what I was really after. First, is RSA-based host authentification not better than old-fashioned rhosts authentification?=20 Isn't it better to use this, even if I am going to have to go with null-passphrases, than to use rhost authentification within SSH (or gods forbid, using the actual rsh suite). Hmmm... Now that I think about it, there really is no reason for root to be able to ssh in from any other machine but that one (I typically ssh in with a mortal user and su to root when being interactive). Hmmm... How does an individual user tell the sshd configuration which hosts to allow access to this account? The ~/.ssh/authroized_keys lets people in, but it does not necesarily turn people away. I would like to be able to restrict what hosts can access root, but not put any restrictions on certain other users. If that is possible, it seems using the null-passphrase would not be much of a risk (if it even is in the first place). Thanks a lot for the very complete reply. --=20 Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s77d1d5b.002>