sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: Tony van der Hoff on 15 Jan 2006 06:50 Martin Gregorie <martin(a)see.sig.for.address> wrote in message <dqd6m0$ii8$1$8302bc10(a)news.demon.co.uk> [snip] > Both files are described in the ssh and sshd manpages. Sheesh. I think I'm > giving out more information than I'm receiving. Doesn't anybody else > use ssh over the Internet and if not, why not and what do you use instead? > Yes, I use ssh over the internet, and have done so for a year or two now (at magpieway.net). The main reason is for me to take my laptop to any customer's site, and access my server from there. I don't use /etc/ssh/known_hosts. TBH, I've not joined in this thread so far, because I don't understand what the fuss is about. I don't have much to add over what has already been said. Set up /etc/ssh/sshd_config as per the man page, i.e. the default, and make sure you deny root access (permitrootlogin=no). Then only use strong passwords for all users, and restrict them to a group that needs access. It just works, although I'll concede that for some extreme levels of paranoia, and additional problems for users, I could possibly do more. I use port 22; that's what it's for. I do see the occasional dictionary attacks, which come to nowt due to my using strong account paswords, but just to give me the pleasure of banning the bastards, I have a script which parses the log file to collect multiple failed login attempts, and adds the ip to /etc/hosts.deny for sshd. This has harvested 105 entries so far, with a new one being added almost daily :) -- Tony van der Hoff | mailto:tony(a)vanderhoff.org Buckinghamshire, England
From: Martin Gregorie on 15 Jan 2006 07:38 Dave {Reply Address in.Sig} wrote: > I think you mean /etc/ssh/ssh_known_hosts for this one. > I stand corrected. > Nowhere in my man pages does it claim to restrict access. > Depends whether you're talking about the client or the server side. > All that > happens from the client side if a host/key is not listed is warn that it > can't verify the host and ask if you want to proceed anyway. The > system-wide one is useless for access restriction anyway, because a user > can just have something in his local .ssh/known_hosts instead. > Of course, but that's the client side. I'm interesting in restricting the list of clients that can access my server, and if /etc/ssh/ssh_known_hosts, if it exists, does just that according to the sshd manpage. > If you really want to restrict access then either use a firewall on the > front of your network or use tcp wrappers. > I already use a firewall. But, as 22 os a well-known port (and anyway a port scanner will find non-standard ones) I'd like things a bit tighter. Yes, I can use the hosts.allow/deny and shosts.equiv but they can't stop spoofng - only ssh_known_hosts can do that. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Martin Gregorie on 15 Jan 2006 08:01 Ian Rawlings wrote: > On 2006-01-15, Martin Gregorie <martin(a)see.sig.for.address> wrote: > >> /etc/ssh/known_hosts >> This is optional and used by sshd. If it is present it restricts the >> hosts that sshd will accept connections from. The sshd manpage says it >> does roughly the same job as hosts.accept and hosts.equiv in that, if >> its present, only connections from hosts listed in it will be accepted. > > Hmm, my man page doesn't say that, it's mildly ambiguous but it says > that it's the system-wide equivalent of the ~/.ssh/known_hosts file, > and is used for verifying the remote host that you are initiating a > connection to. > Its certainly somewhat ambiguous. You have to read both the ssh and sshd manpages more than once to get the gist. The same file is used quite differently by ssh and sshd. *ssh* will always connect - it just doesn't add a host to its $HOME/.ssh/known_hosts if its already in /etc/ssh/ssh_known_hosts. However, if I've understood the manpages correctly, if /etc/ssh/ssh_known_hosts exists than *sshd* will only accept connections from hosts that are listed in the file. > What version of SSH are you using, and can you post the man page > section that you think states that the file is used to check > *incoming* connections? > OpenSSH_3.6.1p2 From the *ssh* manpage: The second authentication method is the rhosts or hosts.equiv method com-bined with RSA-based host authentication. It means that if the login would be permitted by $HOME/.rhosts, $HOME/.shosts, /etc/hosts.equiv, or /etc/ssh/shosts.equiv, and if additionally the server can verify the client?s host key (see /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts in the FILES section), only then login is permit-ted. This authentication method closes security holes due to IP spoof-ing, DNS spoofing and routing spoofing. [Note to the administrator: /etc/hosts.equiv, $HOME/.rhosts, and the rlogin/rsh protocol in general, are inherently insecure and should be disabled if security is desired.] From the *sshd* manpage: /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts These files are consulted when using rhosts with RSA host authen- tication or protocol version 2 hostbased authentication to check the public key of the host. The key must be listed in one of these files to be accepted. The client uses the same files to verify that it is connecting to the correct remote host. These files should be writable only by root/the owner. /etc/ssh/ssh_known_hosts should be world-readable, and $HOME/.ssh/known_hosts can, but need not be, world-readable. My reading of this is that, if /etc/ssh/ssh_known_hosts exists, then *sshd* will only accept connections from client hosts that are listed in this file and which authenticate using the public key in the file. If it exists it works the same as using hosts.accept or hosts.equiv except that it applies public key authentication as well in order to trap DNS spoofing and man-in-middle attacks. -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: steve on 15 Jan 2006 08:34 On Sun, 15 Jan 2006 11:14:17 +0000, Dave {Reply Address in.Sig} wrote: > The system-wide one > is useless for access restriction anyway, because a user can just have > something in his local .ssh/known_hosts instead. Unless you set IgnoreUserKnownHosts in sshd_config
From: Tim Woodall on 15 Jan 2006 08:52
On Sun, 15 Jan 2006 13:01:46 +0000, Martin Gregorie <martin(a)see.sig.for.address> wrote: > Ian Rawlings wrote: >> On 2006-01-15, Martin Gregorie <martin(a)see.sig.for.address> wrote: >> >>> /etc/ssh/known_hosts >>> This is optional and used by sshd. If it is present it restricts the >>> hosts that sshd will accept connections from. The sshd manpage says it >>> does roughly the same job as hosts.accept and hosts.equiv in that, if >>> its present, only connections from hosts listed in it will be accepted. >> >> Hmm, my man page doesn't say that, it's mildly ambiguous but it says >> that it's the system-wide equivalent of the ~/.ssh/known_hosts file, >> and is used for verifying the remote host that you are initiating a >> connection to. >> > Its certainly somewhat ambiguous. You have to read both the ssh and sshd > manpages more than once to get the gist. The same file is used quite > differently by ssh and sshd. > > *ssh* will always connect - it just doesn't add a host to its > $HOME/.ssh/known_hosts if its already in /etc/ssh/ssh_known_hosts. > > However, if I've understood the manpages correctly, if > /etc/ssh/ssh_known_hosts exists than *sshd* will only accept connections > from hosts that are listed in the file. > I'll agree that the manpages are unclear but this doesn't appear to be the case. - I've just touched ssh_known_hosts and I can still ssh in fine. You can change the line #AuthorizedKeysFile %h/.ssh/authorized_keys in sshd_config so that there is one system wide keys file if you prefer. Or you could have something like /etc/ssh/%u/authorized_keys that could then be maintained by root. See man sshd_config Tim. -- God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t," and there was light. http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/ |