SSHD Host Based Authentication NOT working

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Oct 23 04:29:01 PDT 2003 

On Wed, Oct 22, 2003 at 10:03:23PM -0400, Gene Mats wrote:
> Hello, 
> 
> I am having a problem with activating SSHD Host Based Authentication on
> my 
> FreeBSD OS. Below is my /etc/ssh/sshd_config file.
> 
> HostbasedAuthentication yes
> PermitRootLogin no
> VerifyReverseMapping yes
> IgnoreRhosts yes
> IgnoreUserKnownHosts yes
> 
> My /etc/hosts.equiv and /etc/shosts.equiv have a few specific hostnames.
> But 
> it seems I can still connect from any host -(.
> 
> How can I block ALL hosts access to my SSHD. I tried putting in a minus 
> minus in the /etc/hosts.equiv and /etc/shosts.equiv and I have the 
> HostbasedAuthentication setting turned to up to yes. Still no success.
> 
> Any help would be appreciated.

Yes -- {,s}hosts.equiv don't control what hosts you can connect from,
only what hosts will be allowed to bypass the usual authentication
step.

To prevent remote hosts connecting to your sshd(8), you can use
tcpwrappers (/etc/hosts.allow) or you can set up a firewall to filter
incoming packets to port 22.

Do you really need to use host based access control?  It is not
generally recommended nowadays -- too many possibilites for spoofing
or other nastyness unless you really know what you're doing and the
rest of your network infrastructure is pretty bullet proof.  It's
generally held to be preferable to use key based authentication --
these can be passwordless keys for unattended oporation, and you
should make full use of the features of the ~/.ssh/authorized_keys
file that limit what hosts may connect and what commands they run
using any particular key.

	Cheers,

	Matthew	

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20031023/521ac633/attachment.bin

More information about the freebsd-questions mailing list