[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] ssh questions



On 2/15/06, Mark Gumprecht <gumprechtm msad3 org> wrote:
> Alan,
> I found this link to be very helpful.
> http://backuppc.sourceforge.net/faq/ssh.html
> That will tell you how to setup and test an automated ssh connection.
> The mistake I made was not to check the permissions of the .ssh
> directory and files there in. If you have webmin installed and the fire
> wall is on, add in a rule about port 22 and who can access it, I'm no
> pro, just enough to be dangerous.
> Mark
>
>
> ahodson elp rr com wrote:
>
> >Hey list
> >
> >I am having a hard time with one of the K12LTSP v4.4.1 servers trying to
> >properly configure ssh remote access... Could one of the gurus here
> >throw some light as to a) how do I test ssh access setup? and 2) equally
> >important, what is the proper way to limit ssh access to these servers
> >from a given static IP?
> >

To allow or deny access the files to be edited are /etc/hosts.allow &
/etc/hosts.deny
So to allow only access from one static IP att this in allow file and
put a "*" in deny file.

Detailed behaviour of ssh can be configure by editing
/etc/ssh/ssh.conf (or sshd.conf) You can specify for instance not to
allow root access from ssh. This way first you can log in as user and
then sudo for commands that nee root access.

One of the things you can do is to restrict entry only from those
hosts and users whose public key exists and deny login with password.
This way users generate key on the machine they are going to ssh from
(client) by giving command "ssh-keygn -t dsa" and then send the
resultant public key generated, as file attachment,
/home/user/.ssh/id_dsa.pb over email to the host where they are going
to connect (server) At the host the admin (or user themselves) can do
"cat id_dsa.pub >> /home/user/.ssh/authorzed_keys2"

Thereafter this user from that client only can log in from outside to
the server. Beauty is that even if some one gets hold of id_dsa.pub it
is of no use at all since the authentication of this depends on
private key "/home/user/.ssh/id_dsa" which is left on the client
computer.

HTH ;-)
--
Sudev Barar
Learning Linux


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]