Best configuration of SSH

From: Tim Howes (thowes@ssi-ltd.com)
Date: 03/07/02

• Next message: Alex de Joode: "OpenSSH (all versions between 2.0 and 3.0.2) local root exploit"
• Previous message: Tony: "/usr/sbin/sshd trojaned?"
• Next in thread: Richard Silverman: "Re: Best configuration of SSH"
• Reply: Richard Silverman: "Re: Best configuration of SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Tim Howes" <thowes@ssi-ltd.com>
Date: Thu, 7 Mar 2002 13:54:57 -0000

Hi

I have got my previous problem fixed with the warning message by manually
going in to the sshd2_config and hard coding in the authentication section
the HostKeyFile and te PublicHostKeyFile.

This has highlighted really another problem is that I am unsure of the most
secure way to implement SSH as I now understand that there is more than one
way to authenticate the user. Could somebody perhaps shed some light on or
point me in the right direction of how to configure SSH in the most secure
way. Here is the set-up I would like to use eventually (at present
everything is on a test box before I go live with it)

Host = Unix Server - redhat 7.1 with ssh installed
Client = Windows 2000 machine running F-Secure
There could be several different clients all login in to carry out server
maintenance but logins would only be as users: admin and then once logged in
root.

Should I only authenticate with a password?
Should I use public keys?
Should I use private keys?
Should I configure ssh2 to only except admin logins and then be able to 'su'
once in?

I have read manual pages and I have read all help on the ssh site as well.

Any help would be appreciated

Regards

Tim Howes

---

• Next message: Alex de Joode: "OpenSSH (all versions between 2.0 and 3.0.2) local root exploit"
• Previous message: Tony: "/usr/sbin/sshd trojaned?"
• Next in thread: Richard Silverman: "Re: Best configuration of SSH"
• Reply: Richard Silverman: "Re: Best configuration of SSH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: bootstrapping a secure channel ... Yes, this is Bob speaking. ... require an authenticated channel which is used by the two humans to ... reliably authenticate a large amount of data (in this case two public ... people do send public keys and public key hashes in email all the ... (sci.crypt) Re: Windows GSSAPI ssh connection via cross-realm authentication problems ... I think you misunderstand the role of Kerberos here. ... If the SSH service is in realm ... The non-Windows KDC needs to trust any user ... kdcadmin user's home directory and that one can authenticate just fine. ... (comp.protocols.kerberos) New Method for Authenticated Public Key Exchange without Digital Certificates ... exchange of public keys without using digital certificates. ... The primary use for this protocol would be to bootstrap a secure ... bootstrap a secure channel. ... These are some methods currently used to exchange and authenticate ... (sci.crypt) Re: ssh problems ... I have a Woody box running ssh. ... won't authenticate the password. ... Initialised zlib decompression ... Session password prompt ... (Debian-User) Another Question ... I am using the Active Directory to authenticate logins. ... Dr. Doug Pruiett ... (microsoft.public.vsnet.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.ssh  > 2002-03