Date: Thu, 20 Jan 2000 09:06:23 -0600 From: Richard Martin <dmartin@origenbio.com> To: sen_ml@eccosys.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh Message-ID: <3887246F.310D98F8@origenbio.com> References: <20000120093017.18539.qmail@hotmail.com> <20000120193954V.1000@eccosys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
sen_ml@eccosys.com wrote: > > jslat> For what need, would one have to even remotely Logon to the > jslat> root account, my advice to to not even have a ~/root/.ssh to > jslat> begin with. to me it's about as silly as ~/root/.rhosts. > A suggestion we us is to change the sshd.config to the following PasswordAuthentication no This requires use of the RSA key phrase (not the user password) to log in to ssh. Since the RSA key phrase is never kept on the machine, it adds another level of security. And since our pass phrase for root is a 44 character phrase including numbers and caps, its probably rather difficult to guess. Then make it more difficult to even get a connection. Change in ssh.config StrictHostKeyChecking yes StrictHostKeyChecking requires that the sysadmin append and new keys to whomever's keyring, meaning that strangers cannot just log in and append their keys by default. This is a bit more work for the operator, but very much more secure. Depends on how many people need ssh access, I guess. Finally, if you have only a few remote machines that need to get ssh access, use the AllowHosts [hosts] directive in sshd. -- Richard Martin dmartin@origen.com OriGen Biomedical Tel: +1 512 474 7278 2525 Hartford Rd. Fax: +1 512 708 8522 Austin, TX 78703 http://www.cardiacdocs.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3887246F.310D98F8>