Re: Certificate authentication to SSH

Sounds good.

Might want to look into accepting ssh access from certain addrs|nets only,
maybe keeping the history file down to 50-100 lines, having a .bash_logout
that removes the history when you logout of root and scott. Keep X11
forwarding off at the client and server (removes the odds of local admin X11
highjacking methods(if ya really don't need it)), keep a cron-job of
chkrootkit and rkhunter on client/server. Run tripwire from a cdrom. Oh,
duh, use a different port for ssh AND honeypot the real one (honeyd ;) Use
gpg for sensitive stuff. Oh hell, the list goes on and on. I guess it
depends on how paranoid you have made yourself ;) lol.

There's always union routing, hehe.

PS: Duh, here ;) http://www.hackinglinuxexposed.com/articles/ --enjoy

2 cents,
eddie

>From: Scott Johnson <scott.a.johnson@gmail.com>
>Reply-To: scott.a.johnson@gmail.com
>To: captgoodnight captgoodnight <captgoodnight@hotmail.com>
>Subject: Re: Certificate authentication to SSH
>Date: Wed, 7 Sep 2005 12:52:45 -0800
>
>Thanks for the assurance Eddie. I've never made a box accessible from the
>outside world via SSH, but I'm getting the need to so I wanted to start out
>right. Basically I plan on restricting access in the SSH conf file to
>*only*
>allow login to user account "scott" (not root and no other system accounts)
>and then "scott" can only login in via certificate. Sound good? Any thing
>I'm missing? If need be, I should of course then be able to su to root once
>I'm logged in.
>
>On 9/7/05, captgoodnight captgoodnight <captgoodnight@hotmail.com> wrote:
> >
> > From a security standpoint; it's the way to go. Hydra is usless against
> > it,
> > as is the ettercap/sshmitm attack. Put simply, it's darn near bomb
>proof,
> > and I'm happy to see someone thinking about it. Auditing systems these
> > days
> > has shown me that many allow auth to ssh, which is vuln to the previous
> > canned methods...
> >
> > Having root use certs is fairly safe too, but I don't recommend it. --
> > "security in depth"
> >
> > Now setting it up; straight forward, IMHO. Google is your friend, as is
> > man
> > pages ;)
> >
> > http://www.google.com/linux?hl=en&q=
> >
> > Aswell, there is some awsome script trickery you can do with certs.
> >
> > my 2 cents,
> > eddie
> >
> >
> > >From: Scott Johnson <scott.a.johnson@gmail.com>
> > >Reply-To: scott.a.johnson@gmail.com
> > >To: aklug <aklug@aklug.org>
> > >Subject: Certificate authentication to SSH
> > >Date: Tue, 6 Sep 2005 00:19:05 -0800
> > >
> > >How easy it is to setup certificate authentication in SSH? Anyone
> > >have some pointers they'd like to share?????
> > >
> > >Thanks.
> > >
> > >--=20
> > >Scott Johnson
> > >scott.a.johnson@gmail.com
> > >---------
> > >To unsubscribe, send email to <aklug-request@aklug.org>
> > >with 'unsubscribe' in the message body.
> > >
> >
> >
> >
>
>
>--
>Scott Johnson
>scott.a.johnson@gmail.com

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Sep 7 15:17:09 2005