Re: Locking down ssh config in large env
From: Alvin Oga (alvin.sec_at_Virtual.Linux-Consulting.com)
Date: 09/10/04
- Previous message: MBuselli_at_cccis.com: "Re: REQ: SSH behaviour dependent from the connecting client"
- In reply to: Price, Christopher: "Locking down ssh config in large env"
- Next in thread: Atro Tossavainen: "Re: Locking down ssh config in large env"
- Reply: Atro Tossavainen: "Re: Locking down ssh config in large env"
- Reply: Brett Anderson: "Re: Locking down ssh config in large env"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Christopher.Price@encana.com (Price, Christopher) Date: Fri, 10 Sep 2004 13:08:41 -0700 (PDT)
hi ya chris
there is 2 normal way we do things like this ...
a) we erase their changes if they change it ( trivial )
b) modify the ssh sources ( too much headache )
if they have root passwds, all bets are off ... its a computer
usage policy issue if people will use their linux root skills
to get around corp security and usage policy
c ya
alvin
a) if the users tend to change things... we erase it
( do it via cron on the local pc .. hourly )
if different,
cp /mnt/CentralRepository/ssh_config ~/.ssh/ssh_config
cp /mnt/CentralRepository/known_hosts ~/.ssh/known_hosts
- its easy since you also use automounted rescouces
which can have its "central repository" in each users /home/<user>
so that the centralrepository cannot be removed(bypassed)
otherwise they lose their /home dir stuff
b) modify the source code to only use a predefined config files
instead of looking in ~ before it looks for its system default files
and yes... that's what we do ... and all the other files too
including passwds, shadow, hosts, hosts.allow, resolv.conf, etc,etc
and a additional set of centrally maintained files for www, mail, dns, fw, backups, etc
>
> I am looking for some ideas on howto lock down ssh for a large
> deployment of unix hosts. Specifically, I would like to be able to tell the
> ssh cli program to ignore individual users .ssh/ssh_config files and only
> reference the global ssh_config file, (eg: /usr/local/etc/ssh_config). Most
> of my users home directories are mounted via automounter from a central
> location.
>
> I am also looking for a way in which to have ssh only reference a
> global known_hosts file (eg: /usr/local/etc/known_hosts) and completely
> ignore individual users .ssh/known_hosts entries. Effectively what I want is
> a centrally managed and distributed known_hosts file to be used in
> conjunction with StrictHostKeyChecking to not allow ssh connections from
> hosts not listed in the global known_hosts file. The global known_hosts file
> would be a read-only file for everyone but administrators. The use of
> StrictHostKeyChecking ties into my desire to ignore users ssh_config files
> and rely only on the global file - I don't want users to be able to override
> StrictHostKeyChecking. VerifyHostKeyDNS has a great deal of appeal, but a
> number of my clients (Sun SSH for example) do not yet support this option.
> Also I have some issues with getting a recent bind deployment in place to
> support SSHFP keys.
>
> Any input is greatly appreciated.
>
> TIA,
>
> Chris
>
- Previous message: MBuselli_at_cccis.com: "Re: REQ: SSH behaviour dependent from the connecting client"
- In reply to: Price, Christopher: "Locking down ssh config in large env"
- Next in thread: Atro Tossavainen: "Re: Locking down ssh config in large env"
- Reply: Atro Tossavainen: "Re: Locking down ssh config in large env"
- Reply: Brett Anderson: "Re: Locking down ssh config in large env"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
