[svlug] Configuring Server - SSH Trouble + Security Considerations

[Don Marti]

begin Rick Moen quotation of Mon, Oct 23, 2006 at 02:57:20PM -0700:

> > SSH (trying to find a way to restrict it to my machines only, so if
> > you're not my laptop or desktop, it should just categorically deny
> > you.)
> 
> A lot of people do that; I don't.  I simply don't think the "Eek!  OMG,
> I've been portscanned.  Eek!  OMG, someone's dictionary-attacking my 
> sshd" stuff is even significant at all (given precautions to keep local
> users from doing dumb things with password-selection).

I choose not to allow passworded ssh logins at all.
How do I know when a user chooses the same password
on my system as on an insecure site somewhere else?
If you want in, you have to generate a key, give it to
me, and then either log in for the first time in front
of me so I can check the host key fingerprint, or call
me and check the host key fingerprint over the phone.

I have few enough users to make this practical --
if I had any more I'd figure out how to make signed
packages to distribute an /etc/ssh/ssh_known_hosts
to everyone.

sshd_config options to set:

      ChallengeResponseAuthentication no
      PasswordAuthentication no
      PermitRootLogin no

Options to set if you can, and if it makes sense:

      AllowUsers (or if not, DenyUsers) 
      ListenAddress

(I'm going to put an expanded version of this into
a new Git/ikiwiki-powered tip of the day feed --
https://monkey.linuxworld.com/tips.html)

-- 
Don Marti                    
http://zgp.org/~dmarti/
dmarti at zgp.org