Re: configure ssh-access

To: debian-security@lists.debian.org
Subject: Re: configure ssh-access
From: francois@tourde.org (François TOURDE)
Date: Wed, 09 Jul 2003 23:16:51 +0200
Message-id: <[🔎] 87isqbe6yk.fsf@tourde.org>
Reply-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20030709191205.GB2185@llama.nslug.ns.ca> (Peter Cordes's message of "Wed, 9 Jul 2003 16:12:05 -0300")
References: <[🔎] KCEDJBGKMKIFFMDGHANOMEKFEDAA.mario.ohnewald@gmx.de> <[🔎] 87k7augrue.fsf@tourde.org> <[🔎] 20030709191205.GB2185@llama.nslug.ns.ca>

Le 12242ième jour après Epoch,
Peter Cordes écrivait:

> On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote:
>> Le 12240i?me jour apr?s Epoch,
>> Mario Ohnewald ?crivait:
>> > I think this problem should not be solved with configuring sshd.
>> 
>> Wrong... You can configure sshd to accept only login from recognized keys,
>> and let the firewall open.
>
>  If there is an exploitable bug in that code, you're screwed, and the whole
> world can crack your machine.

Yes, sure. And if the ip stack has a bug, your machine is open worldwide. And
if your door is buggy, then anybody can enter...

I think original post is: "Suppose there is no bugs in life, how can authorize
access from recognized people" ... And so the good response is "Use keys"...

> It's not really a problem to allow ssh access
> from the whole world, execpt when there's a problem with ssh.  What you
> should try to do is limit the chance people have to crack your machine
> before you can do something about it.

Yes, I agree, but if you want to access a box through network, there is
*always* a risk if washi or washa has a hole, and an exploit is published.

>  By allowing connections from only a
> few IP address blocks, you cut out most of the crackers in the world, but
> don't have to mess with dynamic DNS and lack of reverse lookup;  A good
> tradeoff between security and convenience.

Even with fake/forged IP's ?

Anyway, you can/be paranoid with your machine, but there is always solutions to
enter into these kind of machines. Actually, there is no known bug in ssh V2
using key authentification. This is the more easy solution.

You can also imagine a knoking (? toc toc toc) mechanism: One ping, followed by
two telnet packets, then 4 ftp or whatever packets, and then your ip is allowed
to try a ssh connection...

Bon courage ;)

-- 
"Jesus saves...but Gretzky gets the rebound!"
-- Daniel Hinojosa (hinojosa@hp-sdd)
-- 
François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE
Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80
eMail: mailto:francois@tourde.org - URL: http://francois.tourde.org/

Reply to:

Follow-Ups:
- Re: configure ssh-access
  - From: scholler@fnb.tu-darmstadt.de (Ulrich Scholler)

References:
- RE: configure ssh-access
  - From: "Mario Ohnewald" <mario.ohnewald@gmx.de>
- Re: configure ssh-access
  - From: francois@tourde.org (François TOURDE)
- Re: configure ssh-access
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: Re: configure ssh-access
Next by Date: Re: configure ssh-access
Previous by thread: Re: configure ssh-access
Next by thread: Re: configure ssh-access
Index(es):
- Date
- Thread