Proper SSH set-up

Olaf Greve o.greve at axis.nl
Tue Oct 18 02:17:13 PDT 2005


Hi all,

I have some probably straightforward questions regarding SSH, and I 
couldn't find the answers to all of them using Google, so I hope someone 
can provide me with them. :)

The situation:
Last week I added a second (fall-back) server next to my life server, 
and I want to automate down-syncing from the life server to the 
fall-back machine. Both machines have an "outside world" connection via 
one NIC, and both are connected to one another directly via a 
cross-wire, on a second NIC, on a local 192.168.1.x net. The files get 
synced using rsync (over the 192.168.1.x net, of course), and I also 
have prepared a script for dumping the MySQL tables on the live server, 
and pushing them into the fall-back server over an SSH tunnel (again: on 
the 192.168.1.x net).

My questions mainly concern this last step, as well as general SSH 
set-up questions.

The questions:
1-Which key types are better/preferred: RSA or DSA?
2-If I generate an RSA or DSA key on my fall-back server without a 
pass-phrase, and allow root access from the life server only (by stating 
something like AllowUsers root at 192.168.1.1 in sshd_config on the 
fall-back machine), will that somehow compromise the general SSH 
security of the fall-back machine (as no pass-phrase is then used), for 
outside world connections?
3-I'm considering enforcing very strict SSH access. Will adding a line 
to sshd_config like: "AllowUsers root at 192.168.1.1 olaf eric" force SSH 
to ONLY allow those three users (and no other ones), with root only 
allowed from 192.168.1.1, and the other two users from anywhere in the 
world?
4-If I add an RSA/DSA key of the life server only to the authorized_keys 
files on the fall-back server, will SSH still allow me to connect to it 
using e.g. the user olaf with password authentication from anywhere in 
the world, or will that one then be locked out until I add the key of 
each and every machine I need access from to the authorized_keys file?

Thanks in advance, and cheers!
Olafo


More information about the freebsd-questions mailing list