Date: Thu, 23 Oct 2003 12:28:33 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Gene Mats <genemats@earthlink.net> Cc: freebsd-questions@freebsd.org Subject: Re: SSHD Host Based Authentication NOT working Message-ID: <20031023112833.GB39601@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <002a01c39909$d6bea6c0$b071cea7@inex> References: <002a01c39909$d6bea6c0$b071cea7@inex>
next in thread | previous in thread | raw e-mail | index | archive | help
--/WwmFnJnmDyWGHa4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Oct 22, 2003 at 10:03:23PM -0400, Gene Mats wrote:
> Hello,=20
>=20
> I am having a problem with activating SSHD Host Based Authentication on
> my=20
> FreeBSD OS. Below is my /etc/ssh/sshd_config file.
>=20
> HostbasedAuthentication yes
> PermitRootLogin no
> VerifyReverseMapping yes
> IgnoreRhosts yes
> IgnoreUserKnownHosts yes
>=20
> My /etc/hosts.equiv and /etc/shosts.equiv have a few specific hostnames.
> But=20
> it seems I can still connect from any host -(.
>=20
> How can I block ALL hosts access to my SSHD. I tried putting in a minus=
=20
> minus in the /etc/hosts.equiv and /etc/shosts.equiv and I have the=20
> HostbasedAuthentication setting turned to up to yes. Still no success.
>=20
> Any help would be appreciated.
Yes -- {,s}hosts.equiv don't control what hosts you can connect from,
only what hosts will be allowed to bypass the usual authentication
step.
To prevent remote hosts connecting to your sshd(8), you can use
tcpwrappers (/etc/hosts.allow) or you can set up a firewall to filter
incoming packets to port 22.
Do you really need to use host based access control? It is not
generally recommended nowadays -- too many possibilites for spoofing
or other nastyness unless you really know what you're doing and the
rest of your network infrastructure is pretty bullet proof. It's
generally held to be preferable to use key based authentication --
these can be passwordless keys for unattended oporation, and you
should make full use of the features of the ~/.ssh/authorized_keys
file that limit what hosts may connect and what commands they run
using any particular key.
Cheers,
Matthew=09
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--/WwmFnJnmDyWGHa4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (FreeBSD)
iD8DBQE/l7thdtESqEQa7a0RAvfKAJ4nUGOqOhbRxyThHSETIt/PJ4+43QCfczbg
ibedg/SEenhi8q3R9CRzfCk=
=GCdd
-----END PGP SIGNATURE-----
--/WwmFnJnmDyWGHa4--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031023112833.GB39601>