Re: Opening ports in my firewall

From: Joe (joe_at_jretrading.com)
Date: 08/03/04 

Date: Tue, 3 Aug 2004 22:47:08 +0100

In message <m3llgwbccz.fsf@newsguy.com>, Harry Putnam
<reader@newsguy.com> writes
>"Walter Dnes (delete the 'z' to get my real address)"
><wzaltdnes@waltdnes.org> writes:
>
>> 2) This may be a bit more painfull, but consider accepting connections
>> only with DSA keys, and not allowing manual password logins.
>> Brute-forcing a DSA key is a helluva lot more difficult than a password.
>
>Walter, sorry to *** in here but,I've wondered about password method
>for a while and your post started to get to the crux of it.
>
>Can you spell the above method out a little. I guess you mean the
>method where you exchange id_dsa.pub keys and keep them an
>authorized_keys file right? But how is this limiting done?
>
>But that would assume you always know in advance what machine you will
>be sshing in from (or at least a group of possible machines). So that
>would be pretty much the same as using /etc/hosts.allow it seems.
>
>In a situation where one may ssh in from machines unknowable in
>advance, is there really any other technique than password?

You carry a floppy/CD/usb device. puTTY (for Windows machines) will use
a shared key activated by a passphrase, which can be long. So you need
both the private key and its decrypting passphrase to connect, and no
amount of guessing will help without that private key. If you lose the
disc, then disable the public key and make another pair before someone
works out the passphrase.
>
>Also, is it possible to limit incoming ssh to a particualr username?
>And that user ends up in a chroot jail or something. Needing yet
>another password (root's) to do damage.

I haven't done the chroot bit, but you can certainly limit to particular
users. You can then specify the shell available after login, so with a
bit of research on shell design, you can limit a login in any way you
can imagine. 

-- 
Joe