Re: configure ssh-access
(I'm replying to the list, hope you don't mind.)
On Thu, Jul 10, 2003 at 01:52:13PM +0200, Christian Kurz wrote:
> On [09/07/03 16:12], Peter Cordes wrote:
> > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote:
> > > Le 12240i?me jour apr?s Epoch,
> > > Mario Ohnewald ?crivait:
> > > > I think this problem should not be solved with configuring sshd.
>
> > > Wrong... You can configure sshd to accept only login from recognized keys,
> > > and let the firewall open.
>
> > If there is an exploitable bug in that code, you're screwed, and the whole
> > world can crack your machine. It's not really a problem to allow ssh access
>
> Well, that's not only the case for sshd, but for any daemon with network
> access and that is running on the host. So even if with a secure sshd
> daemon, it's possible that another daemon running on the host has an
> exploitable bug and is used to crack the machine.
That's no reason not to take a few simple steps to add some extra security
to sshd.
> > from the whole world, execpt when there's a problem with ssh. What you
>
> When has there been such a problem with ssh and ssh-v2 keys?
I don't always use keys. I sometimes want to log in from a friend's
computer (that I wouldn't want to leave an ssh private key lying around on),
or from a computer lab. You never know where there might be bugs (unless
you have seriously analyzed the code, and are _sure_ you did it right, but
that's not the case for me...).
> Also
> may I ask if you are aware about privilege seperation, ensuring that
> operations needing root access are handled in a seperate privileged
> monitor process? (http://www.citi.umich.edu/u/provos/ssh/privsep.html)
Yeah, I know about that. It's another layer of security, just like what I
do with only allowing connections from a few IP blocks.
> > should try to do is limit the chance people have to crack your machine
> > before you can do something about it. By allowing connections from only a
> > few IP address blocks, you cut out most of the crackers in the world, but
> > don't have to mess with dynamic DNS and lack of reverse lookup; A good
>
> But it's questionable if it's always possible to allow connections only
> from a handpicked amount of IPs/IP address blocks or not. Also it still
> leaves with you the possibility that a cracker cracks one of the
> machines being in the allowed IP space and using that machine to crack
> your system. I think it should be careful evaluated if the advantages of
> restricting access to a well defined IP space are worth the effort or
> not.
Of course it's not always possible. If it is possible, and not too much
effort to identify the IP blocks, then it might be worth doing for some
people. It's an extra layer of security. It's not something to be relied
on to keep you safe, it's just something that makes it even more difficult
for the bad guys. If it's too much work, or the chance of causing
inconvenience outweighs the (probably small, given the good security record
of ssh) benefits, then don't do it. In my case, there are no significant
disadvantages. I have an account on a computer that does allow ssh from
anywhere, so if I need to ssh to my machine from an IP the my sshd doesn't
allow, I can go through the other machine.
I'm _not_ saying this is something that everyone has to do. I'm just
saying that it might help a bit, and is something I do.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug.n , s.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BC
Reply to: