From owner-freebsd-questions@FreeBSD.ORG Tue Oct 18 09:17:12 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D44E616A41F for ; Tue, 18 Oct 2005 09:17:12 +0000 (GMT) (envelope-from o.greve@axis.nl) Received: from yggdrasil.interstroom.nl (yggdrasil.interstroom.nl [80.85.129.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48C5043D45 for ; Tue, 18 Oct 2005 09:17:11 +0000 (GMT) (envelope-from o.greve@axis.nl) Received: from ip127-180.introweb.nl ([80.65.127.180] helo=[192.168.1.42]) by yggdrasil with asmtp (Exim 3.35 #1 (Debian)) id 1ERnai-0000Ym-00 for ; Tue, 18 Oct 2005 11:17:05 +0200 Message-ID: <4354BD8F.7040308@axis.nl> Date: Tue, 18 Oct 2005 11:17:03 +0200 From: Olaf Greve User-Agent: Mozilla Thunderbird 1.0.7-1.4.1.centos4 (X11/20051007) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <20051018052432.GA11190@symonds.net> <20051018054617.GA12063@symonds.net> In-Reply-To: <20051018054617.GA12063@symonds.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-MailScanner-Information: Interstroom virusscan, please e-mail helpdesk@interstroom.nl for more information X-MailScanner-SpamCheck: Subject: Proper SSH set-up X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2005 09:17:13 -0000 Hi all, I have some probably straightforward questions regarding SSH, and I couldn't find the answers to all of them using Google, so I hope someone can provide me with them. :) The situation: Last week I added a second (fall-back) server next to my life server, and I want to automate down-syncing from the life server to the fall-back machine. Both machines have an "outside world" connection via one NIC, and both are connected to one another directly via a cross-wire, on a second NIC, on a local 192.168.1.x net. The files get synced using rsync (over the 192.168.1.x net, of course), and I also have prepared a script for dumping the MySQL tables on the live server, and pushing them into the fall-back server over an SSH tunnel (again: on the 192.168.1.x net). My questions mainly concern this last step, as well as general SSH set-up questions. The questions: 1-Which key types are better/preferred: RSA or DSA? 2-If I generate an RSA or DSA key on my fall-back server without a pass-phrase, and allow root access from the life server only (by stating something like AllowUsers root@192.168.1.1 in sshd_config on the fall-back machine), will that somehow compromise the general SSH security of the fall-back machine (as no pass-phrase is then used), for outside world connections? 3-I'm considering enforcing very strict SSH access. Will adding a line to sshd_config like: "AllowUsers root@192.168.1.1 olaf eric" force SSH to ONLY allow those three users (and no other ones), with root only allowed from 192.168.1.1, and the other two users from anywhere in the world? 4-If I add an RSA/DSA key of the life server only to the authorized_keys files on the fall-back server, will SSH still allow me to connect to it using e.g. the user olaf with password authentication from anywhere in the world, or will that one then be locked out until I add the key of each and every machine I need access from to the authorized_keys file? Thanks in advance, and cheers! Olafo