sshd known_hosts query
in [UK Linux]
|
Prev: Network connection
Next: Xauthority lock timeout?
From: alexd on 16 Jan 2006 14:16 Martin Gregorie wrote: > alexd wrote: >> Martin Gregorie wrote: >> >>> alexd wrote: >> [Port knocking] is Security By Obscurity, verson 2.1 ;-) >> > Yes, it is, rather, isn't it? Quite ingenious, though. Probably unusable > with an ADSL router unless you've got one that's fancy enough to send > its access log to a server, though. No need. Just forward the relevant ports from your router to your server. Presumably you'd be forwarding SSH anyway, so your router is already capable. alexd -- <http://ale.cx/> (AIM:troffasky) (gebssnfxl(a)ubgznvy.pbz) 19:15:29 up 23:30, 2 users, load average: 0.29, 0.12, 0.09 This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK
From: Dave {Reply Address in.Sig} on 16 Jan 2006 16:17 Martin Gregorie wrote: > Robert Hull wrote: >> In uk.comp.os.linux, on Sun 15 January 2006 12:38, Martin Gregorie >> <martin(a)see.sig.for.address> wrote: >> >>> I'm interesting in restricting the list of clients that can access my >>> server, and if /etc/ssh/ssh_known_hosts, if it exists, does just that >>> according to the sshd manpage. >>> >> Not the man page on this machine (SuSE 10 2.6.13-15.7 kernel) where it >> states: >> >> /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts >> These files are consulted when using rhosts with RSA host >> authentication or protocol version 2 hostbased authentication >> to check the public key of the host. >> >> The key must be listed in one of these files to be accepted. >> The client uses the same files to verify that it is connecting >> to the correct remote host. >> >> Nothing there about presence/absence in /etc/ssh/ssh_known_hosts being >> used to disallow access, only that presence will allow it. > > OK, but if the key check doesn't deny access, what exactly is its point? > I always thought it was a list of system-wide approved hosts to which you can connect without scary warning messages. I've never really seen it as an inbound restriction. -- Dave mail da ve(a)llondel.org (without the space) http://www.llondel.org So many gadgets, so little time
From: Nix on 16 Jan 2006 17:17 On Mon, 16 Jan 2006, alexd spake: > Martin Gregorie wrote: > >> alexd wrote: >>> Martin Gregorie wrote: >>> >>>> alexd wrote: >>> [Port knocking] is Security By Obscurity, verson 2.1 ;-) >>> >> Yes, it is, rather, isn't it? Quite ingenious, though. Probably unusable >> with an ADSL router unless you've got one that's fancy enough to send >> its access log to a server, though. > > No need. Just forward the relevant ports from your router to your server. .... or run in PPP half-bridged (or even fully-bridged) mode and do all firewalling and things on your Linux box. -- `Logic and human nature don't seem to mix very well, unfortunately.' --- Velvet Wood
From: Martin Gregorie on 16 Jan 2006 18:21 Dave {Reply Address in.Sig} wrote: > Martin Gregorie wrote: >> Robert Hull wrote: >>> In uk.comp.os.linux, on Sun 15 January 2006 12:38, Martin Gregorie >>> <martin(a)see.sig.for.address> wrote: >>> >>>> I'm interesting in restricting the list of clients that can access my >>>> server, and if /etc/ssh/ssh_known_hosts, if it exists, does just that >>>> according to the sshd manpage. >>>> >>> Not the man page on this machine (SuSE 10 2.6.13-15.7 kernel) where it >>> states: >>> >>> /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts >>> These files are consulted when using rhosts with RSA host >>> authentication or protocol version 2 hostbased authentication >>> to check the public key of the host. >>> >>> The key must be listed in one of these files to be accepted. >>> The client uses the same files to verify that it is >>> connecting to the correct remote host. >>> >>> Nothing there about presence/absence in /etc/ssh/ssh_known_hosts being >>> used to disallow access, only that presence will allow it. >> >> OK, but if the key check doesn't deny access, what exactly is its point? >> > I always thought it was a list of system-wide approved hosts to which > you can connect without scary warning messages. I've never really seen > it as an inbound restriction. > That's perfectly reasonable from ssh client p.o.v. However, if that's all its meant to do then sshd should not use the file, but according to the manpage it does. I'd intended to investigate this today, but got bound up in playing with a new printer, configuring Sculptor to drive it and fixing my OS-9/68K spooler configuration. Tomorrow... -- martin@ | Martin Gregorie gregorie. | org | Zappa fan & glider pilot
From: Ian Rawlings on 16 Jan 2006 21:16
On 2006-01-16, Martin Gregorie <martin(a)see.sig.for.address> wrote: > Interesting. Mine says pretty much the opposite, but it does rather lump > hosts.allow|deny in with hosts.equiv as well as saying that sshd will > use the public key in ssh_known_hosts to permit access. What it doesn't > say explicitly is that a key non-match will forbid access, but I can't > see why sshd should even glance at the public key if it doesn't reject > non-matches. The known_hosts files appear to be dual use. With user-account-based authentication, they are used to check the authenticity of the host you are connecting to, however when using host-based authentication they are used to check the authenticity of the hosts trying to connect to you. The manuals are however riddled with obvious errors, so experimentation is the key. With host-based authentication, you appear to have to trust the connecting hosts as user matching is done on username only. Considering how easy it is to add users to a box, if you don't trust the remote admin then that's not an option. I've never trusted host-based authentication enough to even consider using it. Also, you don't appear to be able to mix host-based and user-based authentication. -- Blast off and strike the evil Bydo empire! |