Hi,
working on tightening our network (somewhat) today, I found that OpenSSH
doesn't seem to have the "AllowSHosts" directive (in sshd_config)
that
Commercial SSH (at least 1.2.25 & up) has.
Now I wonder whether that hasn't been implemented yet, or has been dropped
for a certain reason.
I find this very useful for what I want to achieve - inside the company
network, .shosts is honoured, from outside the company, it isn't. No
matter what people put in their .shosts, they can't login from home
without a password (and S/Key in future), thus a break-in into their home
machine won't immediately break the office network as well...
Or is this train of thought flawed somewhere? (As usually, I have to
balance user convenience vs. security - if security is to inconvenient,
people won't use it).
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at
greenie.muc.de
fax: +49-89-35655025 gert.doering at
physik.tu-muenchen.de
On Mon, 30 Oct 2000, Gert Doering wrote:> working on tightening our network (somewhat) today, I found that OpenSSH > doesn't seem to have the "AllowSHosts" directive (in sshd_config) that > Commercial SSH (at least 1.2.25 & up) has. > > Now I wonder whether that hasn't been implemented yet, or has been dropped > for a certain reason. > > I find this very useful for what I want to achieve - inside the company > network, .shosts is honoured, from outside the company, it isn't. No > matter what people put in their .shosts, they can't login from home > without a password (and S/Key in future), thus a break-in into their home > machine won't immediately break the office network as well... > > Or is this train of thought flawed somewhere? (As usually, I have to > balance user convenience vs. security - if security is to inconvenient, > people won't use it).'IgnoreRhosts yes' will ignore .shosts files too. However, people can log in without password otherwise too, if they're using RSAAuthentication. It'll ask for a passphrase, but the user can also make it empty. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall"
On 2000-10-30, Gert Doering <gert at greenie.muc.de> wrote:> Well, dropping AllowHosts doesn't mean dropping functionality (because > it can be done via TCP wrappers).> Dropping AllowSHosts means "I can't do that anymore", which should have > security reasons, which I don't see any right now...Hm. Can you get the same effect by populating /etc/ssh_known_hosts (or its moral equivalent) with the public keys of hosts you wish to allow, and then setting IgnoreUserKnownHosts? This would prevent users from adding other hosts to .shosts, no? Though it might be deemed too much administrative overhead to maintain... -- Hank Leininger <hlein at progressive-comp.com>