From owner-freebsd-stable Wed Dec 5 10:57:23 2001 Delivered-To: freebsd-stable@freebsd.org Received: from crotus.sc.intel.com (scfdns02.sc.intel.com [143.183.152.26]) by hub.freebsd.org (Postfix) with ESMTP id 286A437B41B for ; Wed, 5 Dec 2001 10:57:15 -0800 (PST) Received: from sedona.intel.com (sedona.ch.intel.com [143.182.218.21]) by crotus.sc.intel.com (8.9.1a+p1/8.9.1/d: relay.m4,v 1.46 2001/10/25 21:02:55 root Exp $) with ESMTP id SAA00266 for ; Wed, 5 Dec 2001 18:57:14 GMT Received: from chlx169.ch.intel.com (chlx169.ch.intel.com [143.182.225.37]) by sedona.intel.com (8.9.1a/8.9.1/d: sendmail.cf,v 1.14 2001/01/02 18:39:59 steved Exp $) with ESMTP id LAA26898 for ; Wed, 5 Dec 2001 11:57:13 -0700 (MST) X-Envelope-To: X-Envelope-From: jreynold@sedona.ch.intel.com Received: (from jreynold@localhost) by chlx169.ch.intel.com (8.9.1a/8.9.1/d: client.m4,v 1.3 1998/09/29 16:36:11 sedayao Exp sedayao $) id LAA30012; Wed, 5 Dec 2001 11:57:29 -0700 X-Authentication-Warning: chlx169.ch.intel.com: jreynold set sender to jreynold@sedona.ch.intel.com using -f From: John Reynolds~ MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15374.28185.485112.113662@chlx169.ch.intel.com> Date: Wed, 5 Dec 2001 11:57:29 -0700 To: freebsd-stable@FreeBSD.ORG Subject: Re: naive security question In-Reply-To: <20011205184000.GA21710@sploo.aagh.net> References: <20011205174654.93719.qmail@web21009.mail.yahoo.com> <20011205184000.GA21710@sploo.aagh.net> X-Mailer: VM 6.99 under Emacs 20.7.1 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [ On Wednesday, December 5, Thomas Hurst wrote: ] > > If you want to remove the password guessing bit, disable it and use > RSA/DSA keys instead. Also the general consensus would seem to be to > stick to SSH2 if you're really that worried. you can also go one step further and put more "constraints" on the keys in your authorized_keys and authorized_keys2 files. from sshd(8): from="pattern-list" Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `'? serve as wildcards). The list may also contain patterns negated by prefixing them with `'!; if the canonical host name matches a negated pattern, the key is not accepted. The purpose of this option is to optionally increase security: RSA authentication by itself does not trust the network or name servers or anything (but the key); however, if somebody somehow steals the key, the key permits an intruder to log in from anywhere in the world. This additional option makes using a stolen key more difficult (name servers and/or routers would have to be compromised in addition to just the key). So you can specify which machines you can SSH from (if you can narrow down the set of "authorized hosts" from which you can ssh into your box from). A sample of my file: from="somehost.foo.bar.com" 1024 35 16503156 So, now even if somebody stole that key and could use it to try and authenticate with it, unless they can also present themselves as somehost.foo.bar.com, it won't work. Anyway, 'only the paranoid survive' :) -Jr -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | John Reynolds WCCG, CCE, CDS - Senior CAD Engineer | | Intel Corporation MS: CH6-210 Phone: 480-554-9092 pgr: 602-868-6512 | | jreynold@sedona.ch.intel.com http://www-aec.ch.intel.com/~jreynold/ | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message