sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Martin Gregorie on 15 Jan 2006 05:03 Dave {Reply Address in.Sig} wrote: > Martin Gregorie wrote: > I think you're using the wrong file. known_hosts is the file I use with > my ssh client to communicate with remote machines. It stores keys for > each server to which I connect and validates that it's the same one as > last time (re-installing a server causes its keys to change, as does > swapping one for another by just changing its hostname/IP address). > > Are you perhaps after the $HOME/.shosts file? > No. That's relatively insecure. In any case all the $HOME/* files are used by the client. I'm seeking to restrict access to sshd. There are TWO known_hosts files. ~/.ssh/known_hosts This works like you describe and automatically collects the keys for the hosts you connect to with your ssh client. /etc/ssh/known_hosts This is optional and used by sshd. If it is present it restricts the hosts that sshd will accept connections from. The sshd manpage says it does roughly the same job as hosts.accept and hosts.equiv in that, if its present, only connections from hosts listed in it will be accepted. Its more secure than the other ways of restricting access because it also contains the host's public keys. It is not automatically maintained: the sysadmin maintains it manually. Both files are described in the ssh and sshd manpages. Sheesh. I think I'm giving out more information than I'm receiving. Doesn't anybody else use ssh over the Internet and if not, why not and what do you use instead? -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 15 Jan 2006 05:27 Colin McKinnon wrote: > Martin Gregorie wrote: > Honestly, for a small system not holding secure data I don't think its worth > the effort - by all means restrict the hosts which can connect to port 22 > on the machine in its firewall and with appropriate entries for tcp > wrappers (man 5 hosts_access). Another step I'd recommend is to only allow > ssh logins for users of a specific group (AllowGroups in sshd_config). > Definitely don't allow root logins via ssh. > I'm thinking of using this setup for remote maintenance and there's an extra comfort blanket in using the known_hosts scheme. At least it stops man-in-middle and DNS attacks, which the other methods won't. Your point about excluding ssh root logins is well taken, as is the group restriction: limiting the visitor to a single login would be ideal, but probably impractical because there doesn't seem to be a way of allowing all access within the local domain unless I misses something. There is a minor issue I need to get to the bottom of: I know of a couple of FC4 installations that don't have su installed. It seems very odd and I have no idea how it could happen. >> - is it best to identify permitted clients by IP, host name or a >> combination of the two? >> >> - if the client is behind a firewall, I suppose the IP would be >> the firewall's external IP. Is this correct? >> > > Not necessarily. > OK, but I guess using "host" from the server should be definitive. >> - can the known_hosts entry be just the host ID? >> > > Host ID? > I meant is it possible to set up known_hosts to contain only a host's name(s) and IP, though I suppose this is equivalent to using /etc/ssh/shosts.equiv -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Ian Rawlings on 15 Jan 2006 05:35 On 2006-01-15, Martin Gregorie <martin(a)see.sig.for.address> wrote: > /etc/ssh/known_hosts > This is optional and used by sshd. If it is present it restricts the > hosts that sshd will accept connections from. The sshd manpage says it > does roughly the same job as hosts.accept and hosts.equiv in that, if > its present, only connections from hosts listed in it will be accepted. Hmm, my man page doesn't say that, it's mildly ambiguous but it says that it's the system-wide equivalent of the ~/.ssh/known_hosts file, and is used for verifying the remote host that you are initiating a connection to. What version of SSH are you using, and can you post the man page section that you think states that the file is used to check *incoming* connections? -- Blast off and strike the evil Bydo empire!
From: alexd on 15 Jan 2006 05:58 Martin Gregorie wrote: > Both files are described in the ssh and sshd manpages. Sheesh. I think > I'm giving out more information than I'm receiving. Welcome to Usenet :-D > Doesn't anybody else use ssh over the Internet Yes. I use it to get into my machine at home from work. Also we use it at $ork to get into machines at the data centre. Here's a few things I found useful: Windows -> *nix: http://www.unixwiz.net/techtips/putty-openssh.html also this has a few tidbits of useful information: http://forum.ev1servers.net/showthread.php?t=32847 *nix -> *nix: http://cfm.gs.washington.edu/security/ssh/client-pkauth/ > and if not, why not and what do you use instead? To be honest I don't think there is anything else that one would want to use over the internet. SSH and VNC [with the requisite security] are the de-facto standards for remote access - even commercially available remote KVM switches use VNC, and I've been looking at a remote power management unit for said data centre that one can SSH into to power cycle kit etc. alexd -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 10:40:49 up 13 days, 21:58, 2 users, load average: 0.20, 0.14, 0.10 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
From: Dave {Reply Address in.Sig} on 15 Jan 2006 06:14
Martin Gregorie wrote: > Dave {Reply Address in.Sig} wrote: >> Martin Gregorie wrote: >> I think you're using the wrong file. known_hosts is the file I use >> with my ssh client to communicate with remote machines. It stores keys >> for each server to which I connect and validates that it's the same >> one as last time (re-installing a server causes its keys to change, as >> does swapping one for another by just changing its hostname/IP address). >> >> Are you perhaps after the $HOME/.shosts file? >> > No. That's relatively insecure. In any case all the $HOME/* files are > used by the client. I'm seeking to restrict access to sshd. > > There are TWO known_hosts files. > > ~/.ssh/known_hosts > This works like you describe and automatically collects the keys for the > hosts you connect to with your ssh client. > > /etc/ssh/known_hosts I think you mean /etc/ssh/ssh_known_hosts for this one. > This is optional and used by sshd. If it is present it restricts the > hosts that sshd will accept connections from. The sshd manpage says it > does roughly the same job as hosts.accept and hosts.equiv in that, if > its present, only connections from hosts listed in it will be accepted. > Its more secure than the other ways of restricting access because it > also contains the host's public keys. It is not automatically > maintained: the sysadmin maintains it manually. > > Both files are described in the ssh and sshd manpages. Sheesh. I think > I'm giving out more information than I'm receiving. Doesn't anybody else > use ssh over the Internet and if not, why not and what do you use instead? > Nowhere in my man pages does it claim to restrict access. All that happens from the client side if a host/key is not listed is warn that it can't verify the host and ask if you want to proceed anyway. The system-wide one is useless for access restriction anyway, because a user can just have something in his local .ssh/known_hosts instead. I allow access from anywhere (because I have on occasion needed it) but not on the standard port 22. If you really want to restrict access then either use a firewall on the front of your network or use tcp wrappers. -- Dave mail da ve(a)llondel.org (without the space) http://www.llondel.org So many gadgets, so little time |