[Watford] SSH Questions

Neel Upadhyaya bahulneel at gmail.com
Tue Sep 16 10:36:38 UTC 2008


In your /etc/ssh/sshd_config set:
PermitEmptyLogins no
TCPKeepAlive no

This will stop empty passwds and terminate idle sessions.  In terms of
preventing agents, I'm not sure but you can prevent agent forwarding in the
client [/etc/ssh/ssh_config] but setting:
ForwardAgent no


2008/9/16 Mark Stewart <markwstewart at gmail.com>

> thanks Alain - your document is a useful faq but I'm looking at a policy to
> prevent DBA's etc so they don't use passwordless keys or leave ssh-agent
> running or other ssh bad practices. Users can create keys anywhere and I'm
> powerless to stop how they create them.
>
> If a hacker got hold of password less keys they would control servers at
> ease.
>
> I can't see options for sshd that lets your prevent you accepting
> passwordless keys or find any commercial/open software that does this with
> OpenSSH.
>
> Any advice appreciated.
>
> 2008/9/16 Alain Williams <addw at phcomp.co.uk>
>
>> On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:
>>
>> > Hi Everyone,
>> >
>> > Does anyone know how to prevent the use of passwordless ssh keys? I want
>> to
>> > prevent users authenticating without a password.
>> >
>> > In fact if anyone know of any ssh policing tools/faqs that would be
>> really
>> > usefull. I find it simple securing a server, but when you have 100's of
>> > linux desktops I'm unsure on the best way to stop users leaving
>> ssh-agent
>> > running all the time or using passwordless keys.
>> >
>> > Discussion/advise appreciated.
>>
>> I have had a write up about this for some years:
>>
>>
>> http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php
>>
>> Comments/suggestions gratefully received.
>>
>> --
>> Alain Williams
>> Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT
>> Lecturer.
>> +44 (0) 787 668 0256  http://www.phcomp.co.uk/
>> Parliament Hill Computers Ltd. Registration Information:
>> http://www.phcomp.co.uk/contact.php
>> Chairman of UKUUG: http://www.ukuug.org/
>> #include <http://www.ukuug.org/#include> <std_disclaimer.h>
>>
>> _______________________________________________
>> Watford mailing list
>> Watford at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>
>
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
>


-- 
MCSE is to computers as McDonalds Certified Chef is to fine cuisine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080916/86053503/attachment.htm 


More information about the Watford mailing list