Re: Locking down ssh config in large env

From: Alvin Oga (
Date: 09/10/04

  • Next message: Brian Hatch: "Re: how to force an ssh client timeout"
    To: (Price, Christopher)
    Date: Fri, 10 Sep 2004 13:08:41 -0700 (PDT)

    hi ya chris

    there is 2 normal way we do things like this ...

    a) we erase their changes if they change it ( trivial )
    b) modify the ssh sources ( too much headache )

    if they have root passwds, all bets are off ... its a computer
    usage policy issue if people will use their linux root skills
    to get around corp security and usage policy

    c ya

    a) if the users tend to change things... we erase it
        ( do it via cron on the local pc .. hourly )

            if different,
              cp /mnt/CentralRepository/ssh_config ~/.ssh/ssh_config
              cp /mnt/CentralRepository/known_hosts ~/.ssh/known_hosts

            - its easy since you also use automounted rescouces
            which can have its "central repository" in each users /home/<user>
            so that the centralrepository cannot be removed(bypassed)
            otherwise they lose their /home dir stuff

    b) modify the source code to only use a predefined config files
       instead of looking in ~ before it looks for its system default files

    and yes... that's what we do ... and all the other files too
      including passwds, shadow, hosts, hosts.allow, resolv.conf, etc,etc

    and a additional set of centrally maintained files for www, mail, dns, fw, backups, etc

    > I am looking for some ideas on howto lock down ssh for a large
    > deployment of unix hosts. Specifically, I would like to be able to tell the
    > ssh cli program to ignore individual users .ssh/ssh_config files and only
    > reference the global ssh_config file, (eg: /usr/local/etc/ssh_config). Most
    > of my users home directories are mounted via automounter from a central
    > location.
    > I am also looking for a way in which to have ssh only reference a
    > global known_hosts file (eg: /usr/local/etc/known_hosts) and completely
    > ignore individual users .ssh/known_hosts entries. Effectively what I want is
    > a centrally managed and distributed known_hosts file to be used in
    > conjunction with StrictHostKeyChecking to not allow ssh connections from
    > hosts not listed in the global known_hosts file. The global known_hosts file
    > would be a read-only file for everyone but administrators. The use of
    > StrictHostKeyChecking ties into my desire to ignore users ssh_config files
    > and rely only on the global file - I don't want users to be able to override
    > StrictHostKeyChecking. VerifyHostKeyDNS has a great deal of appeal, but a
    > number of my clients (Sun SSH for example) do not yet support this option.
    > Also I have some issues with getting a recent bind deployment in place to
    > support SSHFP keys.
    > Any input is greatly appreciated.
    > TIA,
    > Chris

  • Next message: Brian Hatch: "Re: how to force an ssh client timeout"

    Relevant Pages

    • Re: Supressing ssh yes/no message
      ... > I have checked the ssh man page,but there is no option to supress the ... setting is "StrictHostKeyChecking ask", which is what you're running into. ... It's useful for normal connections. ...
    • Re: Putty: StrictHostKeyChecking
      ... load Cygwin and run SSH to do this? ... StrictHostKeyChecking is an OpenSSH-specific configuration option. ... *and* target your very first connection to a previously unknown host. ... I fully understand how accepting unknown keys at all is a problem, ...
    • copying from system known_hosts to user known_hosts
      ... When users do ssh to a host that's not listed in their own ... StrictHostKeyChecking is set to yes. ... I think StrictHostKeyChecking should not trigger when the keys are in ...
    • Re: How do I make ssh less "picky"?
      ... I just waht to make ssh less picky to the point where it is satisfied ... ssh -o StrictHostKeyChecking no ... Peri: You're still a little... ... Doctor Six: ...