Tutoring on SSD/SSH

David A. Bandel david
Mon May 17 11:35:18 PDT 2004 

On 23 Jul 2002 20:55:40 -0500
begin  Michael Hipp <MHipp at redmule.com> spewed forth:

> Yes. Read them. Frankly wasn't able to make much of them as they gave a
> bunch of steps but don't really tell what the end objective/state is.
> 
> Even in the Red Hat documentation it tells how to establish keys and so
> forth but it all seems geared toward making sure the host you're hitting
> is the correct one. Rather than making sure the client is the correct
> one. And it still doesn't really tell what you've accomplished once
> you've done it.
> 
> And there is essentially no docs at openssh.org.
> 
[snip]

Michael,

OK, the answer will depend on whether you're talking about protocol 1 or
2.  They are different.  However, both have similar way to authenticate a
system:

password login  (what you don't want)
rhosts login (a bad idea)
authorized keys (what you want)
rhosts + authorized keys (more restrictive than what you want, but may
stop an authorized host because you can't establish identity)
user logins (more restrictive, but may work as well)

Protocol 1:
RhostsAuthentication: (uses the rhosts file -- a _real_ bad idea)
RhostsRSAAuthentication:  leave as no
RSAAuthentication:  what you want for a protocol 1 client.

Protocol 2:
HostbasedAuthentication:  you don't want this (default no), same as
RhostsAuthentication above (uses hosts.equiv vice rhosts)
PubKeyAuthentication -- WHAT YOU WANT! Default = yes.

Both Protocols:
AllowUsers  takes a list of space separated usernames (or user at host) and
only allows these logins -- might work for you in addition to
PubKeyAuthentication (above).
IgnoreRhosts -- a good idea
IgnoreUserKnownHosts -- a _really_ good idea if you want to control which
hosts can log in.
PAMAuthenticationViaKdbInt -- leave as no.
KerberosOrLocalPassword -- make this no.  Will use Kerberos or fall back
to /etc/passwd.
PasswordAuthentication -- set this to no.
PermitEmptyPasswords -- really bad idea (no one should have a null
password).
PermitRootLogin -- leave this as yes.
UseLogin -- leave as no (you definitely don't want this).

I suggest you restrict logins to protocol 2 if at all possible.  Just
specify:
Protocol 2

Help?

Ciao,

David A. Bandel
-- 
Focus on the dream, not the competition.
		-- Nemesis Racing Team motto

More information about the Linux-users mailing list