Skip site navigation (1)Skip section navigation (2)
Date:      19 Oct 2005 09:16:55 -0400
From:      Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
To:        Olaf Greve <o.greve@axis.nl>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Proper SSH set-up
Message-ID:  <44wtk9y7co.fsf@be-well.ilk.org>
In-Reply-To: <4354BD8F.7040308@axis.nl>
References:  <20051018052432.GA11190@symonds.net> <20051018054617.GA12063@symonds.net> <4354BD8F.7040308@axis.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
Olaf Greve <o.greve@axis.nl> writes:

> Hi all,
> 
> I have some probably straightforward questions regarding SSH, and I
> couldn't find the answers to all of them using Google, so I hope
> someone can provide me with them. :)
> 
> The situation:
> Last week I added a second (fall-back) server next to my life server,
> and I want to automate down-syncing from the life server to the
> fall-back machine. Both machines have an "outside world" connection
> via one NIC, and both are connected to one another directly via a
> cross-wire, on a second NIC, on a local 192.168.1.x net. The files get
> synced using rsync (over the 192.168.1.x net, of course), and I also
> have prepared a script for dumping the MySQL tables on the live
> server, and pushing them into the fall-back server over an SSH tunnel
> (again: on the 192.168.1.x net).
> 
> My questions mainly concern this last step, as well as general SSH
> set-up questions.
> 
> The questions:
> 1-Which key types are better/preferred: RSA or DSA?

For default-sized keys, the differences are unimportant.
If you use longer key lengths (over 1280 bits, I think), DSA doesn't
improve security, but RSA does.

> 2-If I generate an RSA or DSA key on my fall-back server without a
> pass-phrase, and allow root access from the life server only (by
> stating something like AllowUsers root@192.168.1.1 in sshd_config on
> the fall-back machine), will that somehow compromise the general SSH
> security of the fall-back machine (as no pass-phrase is then used),
> for outside world connections?

You can limit the key's use so that it shouldn't compromise your
security, but it's always possible that a bug or a mistake on your
part will open up the machine unintentionally.  I feel safer not
allowing remote privileged access to my machines at all.

> 3-I'm considering enforcing very strict SSH access. Will adding a line
> to sshd_config like: "AllowUsers root@192.168.1.1 olaf eric" force SSH
> to ONLY allow those three users (and no other ones), with root only
> allowed from 192.168.1.1, and the other two users from anywhere in the
> world?

It's supposed to.  I haven't tested it lately; try an experiment.

> 4-If I add an RSA/DSA key of the life server only to the
> authorized_keys files on the fall-back server, will SSH still allow me
> to connect to it using e.g. the user olaf with password authentication
> from anywhere in the world, or will that one then be locked out until
> I add the key of each and every machine I need access from to the
> authorized_keys file?

In the default configuration, you will still be able to log in with
your user account.

Also consider limiting the passphraseless key: the sshd(8) manual page
describes a number of limitations you can put in the authorized_keys
file for this purpose.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area
		http://be-well.ilk.org/~lowell/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44wtk9y7co.fsf>