[Gllug] ssh attacks
Nix
nix at esperi.org.uk
Fri Feb 3 21:38:58 UTC 2006
On Fri, 03 Feb 2006, Dani Pardo announced authoritatively:
> En/na Daniel P. Berrange wrote:
>
>> Ditch passwords & switch to public key based authentication. As a minimum
>> I typically alter the SSH config of internet facing machines to set
>> AllowUsers bob
>> PermitRootLogin no
>> PasswordAuthentication no
>> GSSAPIAuthentication no
>> ChallengeResponseAuthentication no
>> PubkeyAuthentication yes
>>
>
> Wha't I can't achive is to allow only an ordinary user to ssh (via
> AllowUsers), and also root to ssh via the host RSA key, but disable
> root logins with password. Mmm..
Run two sshds on different ports with different config files (via -f),
set the internal one up with a ListenAddress of 127.0.0.1 and the
machine's own IP address and firewall it off from the outside world, set
PermitRootLogin on the internal one, and add a stanza something like
Host localhost every-other-name-for-this-machine-I-can-think-of
Port 22012
to /etc/openssh/ssh_config (assuming your root-login-allowed sshd is
listening on port 22012.)
--
`I won't make a secret of the fact that your statement/question
sent a wave of shock and horror through us.' --- David Anderson
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list