From owner-freebsd-security  Thu Jan 20  7: 7:33 2000
Delivered-To: freebsd-security@freebsd.org
Received: from altair.origenbio.com (altair.origenbio.com [216.30.62.130])
	by hub.freebsd.org (Postfix) with ESMTP id 7133314F1E
	for <freebsd-security@FreeBSD.ORG>; Thu, 20 Jan 2000 07:07:30 -0800 (PST)
	(envelope-from dmartin@origenbio.com)
Received: from origenbio.com (dubhe.origen [192.168.0.5])
	by altair.origenbio.com (8.9.3/8.9.3) with ESMTP id JAA19218;
	Thu, 20 Jan 2000 09:07:24 -0600 (CST)
	(envelope-from dmartin@origenbio.com)
Message-ID: <3887246F.310D98F8@origenbio.com>
Date: Thu, 20 Jan 2000 09:06:23 -0600
From: Richard Martin <dmartin@origenbio.com>
X-Mailer: Mozilla 4.6 [en] (WinNT; I)
X-Accept-Language: en
MIME-Version: 1.0
To: sen_ml@eccosys.com
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ssh
References: <20000120093017.18539.qmail@hotmail.com> <20000120193954V.1000@eccosys.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


sen_ml@eccosys.com wrote:
> 
> jslat>   For what need, would one have to even remotely Logon to the
> jslat> root account, my advice to to not even have a ~/root/.ssh to
> jslat> begin with.  to me it's about as silly as ~/root/.rhosts.
> 

A suggestion we us is to change the sshd.config to the following

PasswordAuthentication no

This requires use of the RSA key phrase (not the user password) to log in to
ssh.  Since the RSA key phrase is never kept on the machine, it adds another
level of security.  And since our pass phrase for root is a 44 character
phrase including numbers and caps, its probably rather difficult to guess.


Then make it more difficult to even get a connection. Change in ssh.config

StrictHostKeyChecking yes

StrictHostKeyChecking requires that the sysadmin append and new keys to
whomever's keyring, meaning that strangers cannot just log in and append their
keys by default.  This is a bit more work for the operator, but very much more
secure. Depends on how many people need ssh access, I guess. 

Finally, if you have only a few remote machines that need to get ssh access,
use the 

AllowHosts [hosts]

directive in sshd.  

-- 
Richard Martin       dmartin@origen.com

OriGen Biomedical    Tel: +1 512 474 7278
2525 Hartford Rd.    Fax: +1 512 708 8522
Austin, TX 78703     http://www.cardiacdocs.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message