Proper SSH set-up
o.greve at axis.nl
Tue Oct 18 02:17:13 PDT 2005
I have some probably straightforward questions regarding SSH, and I
couldn't find the answers to all of them using Google, so I hope someone
can provide me with them. :)
Last week I added a second (fall-back) server next to my life server,
and I want to automate down-syncing from the life server to the
fall-back machine. Both machines have an "outside world" connection via
one NIC, and both are connected to one another directly via a
cross-wire, on a second NIC, on a local 192.168.1.x net. The files get
synced using rsync (over the 192.168.1.x net, of course), and I also
have prepared a script for dumping the MySQL tables on the live server,
and pushing them into the fall-back server over an SSH tunnel (again: on
the 192.168.1.x net).
My questions mainly concern this last step, as well as general SSH
1-Which key types are better/preferred: RSA or DSA?
2-If I generate an RSA or DSA key on my fall-back server without a
pass-phrase, and allow root access from the life server only (by stating
something like AllowUsers root at 192.168.1.1 in sshd_config on the
fall-back machine), will that somehow compromise the general SSH
security of the fall-back machine (as no pass-phrase is then used), for
outside world connections?
3-I'm considering enforcing very strict SSH access. Will adding a line
to sshd_config like: "AllowUsers root at 192.168.1.1 olaf eric" force SSH
to ONLY allow those three users (and no other ones), with root only
allowed from 192.168.1.1, and the other two users from anywhere in the
4-If I add an RSA/DSA key of the life server only to the authorized_keys
files on the fall-back server, will SSH still allow me to connect to it
using e.g. the user olaf with password authentication from anywhere in
the world, or will that one then be locked out until I add the key of
each and every machine I need access from to the authorized_keys file?
Thanks in advance, and cheers!
More information about the freebsd-questions