From owner-freebsd-questions@FreeBSD.ORG Wed Oct 19 13:16:58 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3A95016A420 for ; Wed, 19 Oct 2005 13:16:58 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: from mail25.sea5.speakeasy.net (mail25.sea5.speakeasy.net [69.17.117.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9A9943D48 for ; Wed, 19 Oct 2005 13:16:57 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 7243 invoked from network); 19 Oct 2005 13:16:57 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail25.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 19 Oct 2005 13:16:56 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id B64393E; Wed, 19 Oct 2005 09:16:55 -0400 (EDT) Sender: lowell@be-well.ilk.org To: Olaf Greve References: <20051018052432.GA11190@symonds.net> <20051018054617.GA12063@symonds.net> <4354BD8F.7040308@axis.nl> From: Lowell Gilbert Date: 19 Oct 2005 09:16:55 -0400 In-Reply-To: <4354BD8F.7040308@axis.nl> Message-ID: <44wtk9y7co.fsf@be-well.ilk.org> Lines: 66 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-questions@freebsd.org Subject: Re: Proper SSH set-up X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2005 13:16:58 -0000 Olaf Greve writes: > Hi all, > > I have some probably straightforward questions regarding SSH, and I > couldn't find the answers to all of them using Google, so I hope > someone can provide me with them. :) > > The situation: > Last week I added a second (fall-back) server next to my life server, > and I want to automate down-syncing from the life server to the > fall-back machine. Both machines have an "outside world" connection > via one NIC, and both are connected to one another directly via a > cross-wire, on a second NIC, on a local 192.168.1.x net. The files get > synced using rsync (over the 192.168.1.x net, of course), and I also > have prepared a script for dumping the MySQL tables on the live > server, and pushing them into the fall-back server over an SSH tunnel > (again: on the 192.168.1.x net). > > My questions mainly concern this last step, as well as general SSH > set-up questions. > > The questions: > 1-Which key types are better/preferred: RSA or DSA? For default-sized keys, the differences are unimportant. If you use longer key lengths (over 1280 bits, I think), DSA doesn't improve security, but RSA does. > 2-If I generate an RSA or DSA key on my fall-back server without a > pass-phrase, and allow root access from the life server only (by > stating something like AllowUsers root@192.168.1.1 in sshd_config on > the fall-back machine), will that somehow compromise the general SSH > security of the fall-back machine (as no pass-phrase is then used), > for outside world connections? You can limit the key's use so that it shouldn't compromise your security, but it's always possible that a bug or a mistake on your part will open up the machine unintentionally. I feel safer not allowing remote privileged access to my machines at all. > 3-I'm considering enforcing very strict SSH access. Will adding a line > to sshd_config like: "AllowUsers root@192.168.1.1 olaf eric" force SSH > to ONLY allow those three users (and no other ones), with root only > allowed from 192.168.1.1, and the other two users from anywhere in the > world? It's supposed to. I haven't tested it lately; try an experiment. > 4-If I add an RSA/DSA key of the life server only to the > authorized_keys files on the fall-back server, will SSH still allow me > to connect to it using e.g. the user olaf with password authentication > from anywhere in the world, or will that one then be locked out until > I add the key of each and every machine I need access from to the > authorized_keys file? In the default configuration, you will still be able to log in with your user account. Also consider limiting the passphraseless key: the sshd(8) manual page describes a number of limitations you can put in the authorized_keys file for this purpose. -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/