Re: Locking down ssh config in large env

From: Alvin Oga (alvin.sec_at_Virtual.Linux-Consulting.com)
Date: 09/10/04

  • Next message: Brian Hatch: "Re: how to force an ssh client timeout"
    To: Christopher.Price@encana.com (Price, Christopher)
    Date: Fri, 10 Sep 2004 13:08:41 -0700 (PDT)
    
    

    hi ya chris

    there is 2 normal way we do things like this ...

    a) we erase their changes if they change it ( trivial )
    b) modify the ssh sources ( too much headache )

    if they have root passwds, all bets are off ... its a computer
    usage policy issue if people will use their linux root skills
    to get around corp security and usage policy

    c ya
    alvin

    a) if the users tend to change things... we erase it
        ( do it via cron on the local pc .. hourly )

            if different,
              cp /mnt/CentralRepository/ssh_config ~/.ssh/ssh_config
              cp /mnt/CentralRepository/known_hosts ~/.ssh/known_hosts

            - its easy since you also use automounted rescouces
            which can have its "central repository" in each users /home/<user>
            so that the centralrepository cannot be removed(bypassed)
            otherwise they lose their /home dir stuff

    b) modify the source code to only use a predefined config files
       instead of looking in ~ before it looks for its system default files

    and yes... that's what we do ... and all the other files too
      including passwds, shadow, hosts, hosts.allow, resolv.conf, etc,etc

    and a additional set of centrally maintained files for www, mail, dns, fw, backups, etc

    >
    > I am looking for some ideas on howto lock down ssh for a large
    > deployment of unix hosts. Specifically, I would like to be able to tell the
    > ssh cli program to ignore individual users .ssh/ssh_config files and only
    > reference the global ssh_config file, (eg: /usr/local/etc/ssh_config). Most
    > of my users home directories are mounted via automounter from a central
    > location.
    >
    > I am also looking for a way in which to have ssh only reference a
    > global known_hosts file (eg: /usr/local/etc/known_hosts) and completely
    > ignore individual users .ssh/known_hosts entries. Effectively what I want is
    > a centrally managed and distributed known_hosts file to be used in
    > conjunction with StrictHostKeyChecking to not allow ssh connections from
    > hosts not listed in the global known_hosts file. The global known_hosts file
    > would be a read-only file for everyone but administrators. The use of
    > StrictHostKeyChecking ties into my desire to ignore users ssh_config files
    > and rely only on the global file - I don't want users to be able to override
    > StrictHostKeyChecking. VerifyHostKeyDNS has a great deal of appeal, but a
    > number of my clients (Sun SSH for example) do not yet support this option.
    > Also I have some issues with getting a recent bind deployment in place to
    > support SSHFP keys.
    >
    > Any input is greatly appreciated.
    >
    > TIA,
    >
    > Chris
    >


  • Next message: Brian Hatch: "Re: how to force an ssh client timeout"