Re: ssh and hosts.allow; purpose of ssh

From: Richard E. Silverman (slade@shore.net)
Date: 12/20/01


From: slade@shore.net (Richard E. Silverman)
Date: 20 Dec 2001 16:39:51 -0500


>>>>> "sjf" == sjfromm <sjfromm@starpower.net> writes:

    sjf> He thinks that putting an entry into hosts.allow (this is for
    sjf> Solaris) for ssh that allows in a lot of IPs is very dangerous.
    sjf> Is that right? If it were, what is the purpose of ssh? (He
    sjf> suggested I change DSL providers to get a static IP. I said that
    sjf> that is ridiculous.)

I agree with you. It drastically reduces the usefulness of the system,
while buying you very little real security benefit. In a closed
situation, where it's known ahead of time which accounts should be
accessed from which machines (say for a set of remote batch jobs), it's
reasonable to do this -- it adds a little more difficulty to breaking in
without affecting the operation of the system. Also in such a situation,
you're likely to have more confidence in the security of your IP routing.
For general Internet access, there is absolutely no guarantee that packets
with "your" IP address are in fact coming from you, so what does he think
this is buying him?

-- 
  Richard Silverman
  slade@shore.net



Relevant Pages

  • Re: ssh and hosts.allow; purpose of ssh
    ... > sjf> Solaris) for ssh that allows in a lot of IPs is very dangerous. ... > It drastically reduces the usefulness of the system, while buying you very ... > confidence in the security of your IP routing. ...
    (comp.security.ssh)
  • Re: ssh and hosts.allow; purpose of ssh
    ... >> sjf> Solaris) for ssh that allows in a lot of IPs is very dangerous. ... I agree that it's best to restrict entry to as few IPs as possible. ...
    (comp.security.ssh)