Re: Double Auth with SSH

Cameron L. Spitzer wrote:
Suppose you ran an sshd in a chroot jail, listening to some
port on a routable address. This sshd only allows login by RSA key.
It doesn't allow port forwarding or X11.
Suppose the only executable in that jail is a telnet client.



("Telnet! Zounds, man, nobody uses telnet!" Well, it's hard for users
to convince the telnet server to run anything for them but login. And
who's gonna eavesdrop on the password here?)
And what's the matter in using two ssh servers?

Suppose you have a telnet server, not in jail, but only
listening to 127.0.0.1. This server invokes login
which authenticates via PAM.

So from the outside you ssh into the bare jail, and from there
you have to telnet into the real machine.

Your users will get annoyed with all this paranoia. You'll
need a firewall rule so they can't start their own telnet/ssh/bindshell
servers on high ports.

What about not allowing normal users to exec sshd/telnetd/...

Look at Telnet's -8 and -E options. Maybe there is a second binary
in the jail, that exec()'s telnet with fixed options.
Maybe that's not necessary.
Even with no other binary in the jail, that way is more paranoic :) (For the
ones who haven't read telnet's manpage, -E prevents from using escape key.)

Really Paranoic :-). But what will be the difference between that and using
two ssh servers?

# Here goes the changed options from the standard config file
# For the sshd_config.internal
Port 23
ListenAddress 127.0.0.1
LoginGraceTime 20
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
X11Forwarding no
Banner /etc/issue.internal

# For the sshd_config.inet
LoginGraceTime 20
PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication yes
X11Forwarding no

So you have the ssh external server jailed, and the second ssh server only
allows local conections, so you connect by ssh authenticating with rsa to
the external server and from there you enter the user and pass to log in
Is anything wrong with that?

I Don't rely on telnet servers but seems interesntig too.

Would it be too paranoic to use this with a firewall rule that only allows
logins from a host and allowing only two logins per time? I've got my pc
with a ssh server, and I want only ME can access to it, and something like
no-ip or similar would be interesting, I mean, you've got to enter the
no-ip password, connect, enter the RSA password, have the rsa file, and
enter the password on the telnet or ssh second server. :-P

Cameron

--

--David Francos <XayOn>--
Contact:
Jabber: Thexayon@xxxxxxxxxx
E-mail:Yo.orco@xxxxxxxxx, thexayon@xxxxxxxxx (GTalk)
.

Relevant Pages

  • Re: Long wait time for login prompt after rebooting (HPUX 10.20)
    ... > login prompt from other UNIX servers and Windows. ... we can ping and get a response from the server. ... We can then login using rlogin and telnet. ...
    (comp.sys.hp.hpux)
  • Re: rlogin
    ... login the server using telnet, rsh, rlogin and also ssh. ... Telnet does not provide any protection. ... We have only 1 host system. ...
    (comp.unix.aix)
  • Re: telnet login
    ... I'm trying to telnet into the linux ... > connection lost no error message or anything. ... > Is there a way to pass both login and password to server from prompt. ...
    (comp.os.linux.misc)
  • Trouble Telnetting w/ Expect from HP-UX to Windows
    ... spawn telnet server 1023 ... expect "login: " ... Escape character is '^]'. ...
    (comp.lang.tcl)
  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)