Re: Debian SSH server configuration
- From: Digby Tarvin <digbyt@xxxxxxx>
- Date: Wed, 26 Apr 2006 01:58:03 +0100
On Tue, Apr 25, 2006 at 07:23:26PM -0400, Bruce Corbin wrote:
Hi All,
I would like to configure a Debian server to only allow clients to ssh
in if the public keys (probably RSA keys) already reside on the hard
drives of both machines.
After spending some time in the snail book I am able to use
"StrictHostKeyChecking yes" in the clients /etc/ssh/ssh_config file to
cause the client to refuse to establish a ssh connection unless the
server's public key is in the client's /home/user-name/.ssh/known_hosts
file. This is useful in preventing "overly trusting users" from blindly
answering "yes" and accepting man-in-the-middle keys when connecting to
a new server. But, this does not restrict who can connect to the server.
I tried putting "StrictHostKeyChecking yes" in the server's
/etc/ssh/sshd_config file but I got a "bad configuration option" error.
My server's /etc/ssh/sshd_config file has "PublicKeyAuthentication yes"
and "PasswordAuthentication no". I am uneasy about experimenting with
PublicKeyAuthentication without having a better understanding of what it
really does. I don't want to turn off any authentication features or
turn off any encryption features and leave myself wide open but thinking
that I am secure.
Thus, I think my goal is simple, I have paid some dues and I am hitting
a brick wall. I don't want any client computers to be able to ssh into
my server unless they already have the key on their hard drive.
Any suggestions?
Thank you,
Bruce
It sounds like what you are asking for is host based authentication,
where the server check to make sure that it has the host public key
of the client, as well as the client making sure that it has the host
public key of the server.
In general I think this is a bad idea, as it is less secure than the
default approach where he server uses the host private key to prove
to the client (via the host public key in the clients known_hosts file)
that it is the server it thinks it is, and then the client user proves
his/her identity using a personal private key.
Host bast authentication, once the two hosts are satisfied that they
know each other, falls back to the old /etc/hosts.equiv and $HOME/.rhosts
style of authentication.
I think the closest thing to what you are asking for would be
to require that the servers public host key be on the clients hard
disk, and the client users public key be no the
servers hard disk.
You do that by selecting the StrictHostKeyChecking option on the
client machine as you have done, and by also disabling password
(and anything else but the type of public key authentication you
opt for) based authentication.
You still stop the black hats from trying to guess passwords
using your ssh server.
Regards,
DigbyT
--
Digby R. S. Tarvin digbyt(at)digbyt.com
http://www.digbyt.com
--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- Follow-Ups:
- Re: Debian SSH server configuration
- From: Greg Folkert
- Re: Debian SSH server configuration
- References:
- Debian SSH server configuration
- From: Bruce Corbin
- Debian SSH server configuration
- Prev by Date: Re: Debian SSH server configuration
- Next by Date: Can DVD-R do multi-session
- Previous by thread: Re: Debian SSH server configuration
- Next by thread: Re: Debian SSH server configuration
- Index(es):
Relevant Pages
|
