Proper SSH set-up
Lowell Gilbert
freebsd-questions-local at be-well.ilk.org
Wed Oct 19 06:16:58 PDT 2005
Olaf Greve <o.greve at axis.nl> writes:
> Hi all,
>
> I have some probably straightforward questions regarding SSH, and I
> couldn't find the answers to all of them using Google, so I hope
> someone can provide me with them. :)
>
> The situation:
> Last week I added a second (fall-back) server next to my life server,
> and I want to automate down-syncing from the life server to the
> fall-back machine. Both machines have an "outside world" connection
> via one NIC, and both are connected to one another directly via a
> cross-wire, on a second NIC, on a local 192.168.1.x net. The files get
> synced using rsync (over the 192.168.1.x net, of course), and I also
> have prepared a script for dumping the MySQL tables on the live
> server, and pushing them into the fall-back server over an SSH tunnel
> (again: on the 192.168.1.x net).
>
> My questions mainly concern this last step, as well as general SSH
> set-up questions.
>
> The questions:
> 1-Which key types are better/preferred: RSA or DSA?
For default-sized keys, the differences are unimportant.
If you use longer key lengths (over 1280 bits, I think), DSA doesn't
improve security, but RSA does.
> 2-If I generate an RSA or DSA key on my fall-back server without a
> pass-phrase, and allow root access from the life server only (by
> stating something like AllowUsers root at 192.168.1.1 in sshd_config on
> the fall-back machine), will that somehow compromise the general SSH
> security of the fall-back machine (as no pass-phrase is then used),
> for outside world connections?
You can limit the key's use so that it shouldn't compromise your
security, but it's always possible that a bug or a mistake on your
part will open up the machine unintentionally. I feel safer not
allowing remote privileged access to my machines at all.
> 3-I'm considering enforcing very strict SSH access. Will adding a line
> to sshd_config like: "AllowUsers root at 192.168.1.1 olaf eric" force SSH
> to ONLY allow those three users (and no other ones), with root only
> allowed from 192.168.1.1, and the other two users from anywhere in the
> world?
It's supposed to. I haven't tested it lately; try an experiment.
> 4-If I add an RSA/DSA key of the life server only to the
> authorized_keys files on the fall-back server, will SSH still allow me
> to connect to it using e.g. the user olaf with password authentication
> from anywhere in the world, or will that one then be locked out until
> I add the key of each and every machine I need access from to the
> authorized_keys file?
In the default configuration, you will still be able to log in with
your user account.
Also consider limiting the passphraseless key: the sshd(8) manual page
describes a number of limitations you can put in the authorized_keys
file for this purpose.
--
Lowell Gilbert, embedded/networking software engineer, Boston area
http://be-well.ilk.org/~lowell/
More information about the freebsd-questions
mailing list