SSH configuration summary
Paul Lussier
p.lussier at comcast.net
Fri Nov 4 09:27:00 EST 2005
Mark Polhamus <meplists at earthlink.net> writes:
> Larry Cook wrote:
>> This thread was very timely, as I wanted to set up my system for
>> remote access using SSH. Here is a summary of the advice for a
>> secure SSH configuration that I gathered from the thread. I've
>> included the specific /etc/ssh/sshd_config file entries:
>> ...
> >
>> Is there anything I missed?
>
> * Only allow users that require access
> AllowUsers importantUser
Depends upon how secure you want to be, but employing some or all of
the following can definitely help:
- 2 factor authentication
- 2 step login process
(first to a bastion host, then to an internal one)
- One-time-passwords
- Kerberos
We currently use the bottom three on that list, where ssh is only
allowed inbound to one designated machine (which has been generally
hardened, including running the Bastille checklist on it and running
iptables).
SSH to this box requires the use of one-time-passwords and an account
on that box (completely separate from your internal account). SSH'ing
from this box to something internal requires either obtaining kerberos
tickets, or the use of ssh keys.
The latter is actually preferred in this case, since, in order to get
kerberos tickets, you'd most likely have to authenticate to kerberos
from that system. This would require you to type in your kerberos
passphrase on a box which is assumed to be compromised in the first
place. Therefore, using SSH keys and forwarding your auth with ssh,
will actually get you all the way inside without ever having to type a
compromisable passphrase on this assumed-to-be-compromised systems.
Some less-than-sophisticated SSH users, and others on Windows have
been slightly annoyed with the OTP scheme, however, once educated
about how to properly use SSH port-forwarding, a little script
writing, and judicious use of gnus screen, all complaints have ceased.
(though, it's probably important to note that there are *no* business
type users of this system. Everyone is either highly technical, or
willing to learn :)
--
Seeya,
Paul
More information about the gnhlug-discuss
mailing list