Securing SSH
Leonid Mamtchenkov
leonid at leonid.maks.net
Sat Jan 10 00:06:05 UTC 2004
* Roland Venter <rolandv at xtra.co.nz> [10-Jan-2004 12:52]:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
>
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.
Check out comments in /etc/security/access.conf. It seems that you can
use symbolic domain names instead of IP address. This should give you
more freedom.
Alternatively, you can have a script that regenerates your iptables
ruleset once in a while (say daily). This script can take a list of IP
address allowed to access from some external source, such as an LDAP
directory. This way, in case of any IP change, you will have to only
update your central storage and all hosts will use the information
within the update period. Just an idea. :)
> We also need to provide access to engineers working from home using dialup,
> etc
> Some sort of client certificates to supplement username and password,
> Recommendations on securing the SSH daemon etc
> Any ideas and tips appreciated
openssh does support key-based autorization. Check out "man ssh" and
"man ssh-keygen".
--
Leonid Mamtchenkov.
http://www.leonid.maks.net
BOFH: We're on Token Ring, and it looks like the token got loose.
More information about the fedora-list
mailing list