Re: Tightening SSH access
From: Keith Keller (kkeller-usenet_at_wombat.san-francisco.ca.us)
Date: 07/08/05
- Next message: Sensei: "Re: Tightening SSH access"
- Previous message: Carlos Moreno: "Tightening SSH access"
- In reply to: Carlos Moreno: "Tightening SSH access"
- Next in thread: Sensei: "Re: Tightening SSH access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 8 Jul 2005 14:38:14 -0700
On 2005-07-08, Carlos Moreno <moreno_at_mochima_dot_com@xx.xxx> wrote:
>
> Is there a way to configure SSH + iptables such that it only accepts
> logins coming from our machines? Ideally, the access should require
> password (i.e., a Unix login password) + public-key verification (only
> our keys would be accepted by SSH) + verification (via MAC) that it
> comes from our machines (our IP is not static, so using the source
> IP to validate would be risky). Is it possible?
I can't speak to all of your concerns, but MACs are spoofable, and in
theory anyone on the local network should be able to sniff your MAC.
That being said,
> In the iptables tutorial I have, they mention that the MAC-based
> match support is not quite solid. I'm not sure if that still holds.
I think MAC-based matching is reasonably good in recent kernels. I've
been using it for some of my boxes, and it seems to work fine.
--keith
-- kkeller-usenet@wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom see X- headers for PGP signature information
- Next message: Sensei: "Re: Tightening SSH access"
- Previous message: Carlos Moreno: "Tightening SSH access"
- In reply to: Carlos Moreno: "Tightening SSH access"
- Next in thread: Sensei: "Re: Tightening SSH access"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
