Date: Sun, 28 Oct 2001 17:36:01 -0500 From: "Kutulu" <kutulu@kutulu.org> To: <freebsd-questions@freebsd.org> Subject: Two sshd questions... Message-ID: <003901c16000$ee0b0290$88682518@longhill1.md.home.com>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
Two (unrelated) questions regarding ssh, and OpenSSH in particular:
1. Is there a way to prevent the ssh client from overriding options in
/etc/ssh/ssh_config? Specifically, I run a very restricted machine from my
jobsite and only have ssh access allowed for about 5 people. I'm very
concerned about security here, so I have options like StrictHostKeyChecking
turned on. However, users can override this with the '-o' option in the ssh
client. I'm concerned that they will become used to overriding my options
and not pay attention the one time their remote hostkey really is wrong. Is
there anything I can do to stop this? Even better, can I permit them to
override only a subset of options?
2. A more 'best practices' questions: Which is the preferred version of ssh
to be running? By preferred I'm speaking strictly from a security
standpoint. Current I have only sshv2 permitted on the server (though
again, the users can force sshv1 in their clients). Most sites seem to be
running both, but there are a few that only run sshv1 servers. Whenever I
ask, I hear conflicting reports as to their relative security. Some people
say sshv2 is more secure, some people say sshv2 is buggy and only sshv1 is
stable, some people complain that DSA isn't as secure as RSA and thus
shouldn't be used. Trying to track down real facts about this revealed
problem reports of ssh2 daemons running in ssh1 mode, (which is why I turned
that off) but not much else. Any pointers?
--K
[-- Attachment #2 --]
0 *H
01
0 +�0 *H
��0|00
*H
�01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300
010922140018Z
020922140018Z0C1 0
UThawte Freemail Member1 0
*H
kutulu@kutulu.org00
*H
��0�t
B&
͌d%h uOϖ/tC@Tgh4u&8
Q3$a|tֺhl(z̩c?a!wt|p(
aܲok9�.0,0
U
0kutulu@kutulu.org0
U
0�0
*H
��p4'S
}l%'\H|p[LqIZ N
mz]с@l!xnzl
b'?@Zz{zsS
r�^7rѐf[&-"b0)0
0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
000830000000Z
020829235959Z01
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.3000
*H
��0�32c %E>nx'gڈD)c5*mp<ܮto034qmOe
KaU5u'rװ
|CBPQ<9TIf�- ki�N0L0)U
"0
0
10UPrivateLabel1-2970U
0�0
U
0
*H
��so&e4KYbDI
j&*b ct
mSK8P:l4撜n# KrgPo.X
PW
Ո9[9}4%MjÑ/<RbH0-0�0
*H
�01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com0
960101000000Z
201231235959Z01
0 UZA10U
Western Cape10U Cape Town10U
Thawte Consulting1(0&U
Certification Services Division1$0"UThawte Personal Freemail CA1+0) *H
personal-freemail@thawte.com00
*H
��0�id[qG
Qr^}-
{߅%u(t:B,c'{K~
ݹΖdnD|Mq @8�x^^v]nz|
KU)&j8$jDZڣyZ
�00U
00
*H
��~Ngb*M`o`Xa&R5\0J bB#dG)ߝ^l`q\yn�G
(|_#& sC%/u
Qkw10001
0 UZA10U
Western Cape10U Cape Town10
U
Thawte1
0U
Certificate Services1(0&U Personal Freemail RSA 2000.8.300 +�0 *H
1
*H
0
*H
1
011028223601Z0# *H
1zo)88u/0[ *H
1N0L0
*H
0*H
�0
*H
@0+0
*H
(0+
0
*H
� }1
,w;ѣBi
)$9_+%<7bE:/d*sz<NJ8le+˲
ϳ:
YFa:/:U.e:OѶ-Qn?0<9 ������
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003901c16000$ee0b0290$88682518>