From: Martin Gregorie on
Chris Croughton wrote:
> Yes, I use ssh over the Internet and I don't use that file, because the
> whole point is that I need to be able to get into my machine from places
> where I don't know the IP address (in some cases, via vachines using
> dialup connections where the IP address isn't even the same each time I
> connect). As far as I can see by its nature it only allows connection
> from individual hosts, not even a range, and so is useless to me.
I quite see your reasoning, and why it would not work for you. Did you
try wild carding it? The manpages mention this facility, but don't
explain how a given public key could apply to, say, all the hosts
implied by * or by 111.222.333.* - I see some confusion there!

However, I want to solve the reverse problem and create an exceedingly
narrow window where only one or two known hosts would be allowed in for
remote sysadmin and this technique looks as if it matches my requirement.

martin@ | Martin Gregorie
gregorie. |
org | Zappa fan & glider pilot
From: Nix on
On Sun, 15 Jan 2006, Tony van der Hoff gibbered uncontrollably:
> I use port 22; that's what it's for. I do see the occasional dictionary
> attacks, which come to nowt due to my using strong account paswords

You allow password-authentication over the open Internet?


I see dictionary attacks which come to nothing because the idiots are
handing it passwords when I want it to give me keys. :)

`Logic and human nature don't seem to mix very well,
unfortunately.' --- Velvet Wood
From: Toby Inkster on
Martin Gregorie wrote:

> There are TWO known_hosts files.
> ~/.ssh/known_hosts
> This works like you describe and automatically collects the keys for the
> hosts you connect to with your ssh client.
> /etc/ssh/known_hosts
> This is optional and used by sshd. If it is present it restricts the
> hosts that sshd will accept connections from.

Not sure which version of SSH you're using, but my "man sshd" lists only
these two known_hosts files:


The former acting the same as the latter, but read-only, and for all users
on the system rather than just one. To restrict which hosts may log in, my
"man sshd" recommends:


Toby A Inkster BSc (Hons) ARCS
Contact Me ~

From: Toby Inkster on
Martin Gregorie wrote:

> Thanks for that. I think this explains why, having muttered about
> ssh_known_hosts, the manpage also witters on about the hosts.* files.

Further, I don't think using "ssh_known_hosts" as a security mechanism to
prevent people logging on to your server is even a viable method. It has
one serious flaw -- it assumes that the client is logging on from a
machine that is itself a SSH server, and thus has a host key.

Toby A Inkster BSc (Hons) ARCS
Contact Me ~

From: alexd on
Martin Gregorie wrote:

> alexd wrote:
>> If you're super-paranoid, try port knocking.
> What's that, he says ignorantly.

It's Security By Obscurity, verson 2.1 ;-)

Probably overkill in most cases.

<> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz)
07:54:00 up 12:08, 2 users, load average: 0.11, 0.25, 0.26

First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4 5 6 7 8 9 10 11 12
Prev: Network connection
Next: Xauthority lock timeout?