Disable PasswordAuthentication and enable RSAAuthentication. > -----Original Message----- > From: Roy Harrison [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 26 August 2000 1:13 AM > To: [EMAIL PROTECTED] > Subject: SSH > > > I'm trying to set SSH up so that a client cannot log onto a > server unless > the client has been given a key from the server. Either I put it on a > floppy or e-mail it to the client. > > I installed SSH2 server on a linux machine and a client on NT > and linux and > was able to log right on using just the servers password. I > was expecting > more authentication from SSH itself. [EMAIL PROTECTED] (Firewalls-Digest) on 08/28/2000 04:00:04 PM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: (bcc: Goh Bee Hock/ENGR/1-Net) Subject: Firewalls-Digest V8 #1187 Firewalls-Digest Monday, August 28 2000 Volume 08 : Number 1187 In this issue: configuring second mail domain on AFW98 Re: Checkpoint software on Compaq hardware RE: SSH See the end of the digest for information on subscribing to the Firewalls or Firewalls-Digest mailing lists and on how to retrieve back issues. ---------------------------------------------------------------------- Date: Sun, 27 Aug 2000 19:40:32 +0800 From: "P, Sharad" <[EMAIL PROTECTED]> Subject: configuring second mail domain on AFW98 Hi , We have altavista firewall 98 running on Winnt 4.0 (NT service pack 5 + AFW SP 3) installed. we have added the other domain to the firewall ,we have checked up for both the domains the name resolution is happening alright, but when i send a mail or telnet (25) to the newly added domain we get an error message , Recipient not approved , Can anyone help me on this. Best Regards Sharad Prasad - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] ------------------------------ Date: Sun, 27 Aug 2000 07:36:54 -0400 From: "Lance Ecklesdafer" <[EMAIL PROTECTED]> Subject: Re: Checkpoint software on Compaq hardware On Fri, 25 Aug 2000, [EMAIL PROTECTED] wrote: > Don't install the Compaq Insight Manager.. :) > > > ########################################################## > 'Turn on, Boot Up, Jack in' > ######################################################### > > On Thu, 24 Aug 2000, Byron Kennedy wrote: I heartily agree ... - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] ------------------------------ Date: Mon, 28 Aug 2000 11:26:13 +0930 From: Ben Nagy <[EMAIL PROTECTED]> Subject: RE: SSH Uh, a couple of things - first of all, sending the keys to the clients is a really bad move. What you _really_ want is for the client to generate their SSH keys and then send the public keys to you. This avoids all sorts of private key compromise opportunities. After that I guess you want to read the manpages about how to require public key auth. From a _really_ brief glance, it looks like you want to mess with the RequiredAuthentications keyword in the config file. Oh, If publickey is enough for you, you could change the AllowedAuthentications from "password,publickey" to just "publickey". Personally, I would ask for publickey and password - to do that just add both methods to the RequiredAuthentications. This makes access two factor at worst. If you only use the RSA auth then a busted client implementation or improperly stored keypair means that compromised / stolen hosts are a free ticket. (OK, that's a lie - a compromised host can be assumed to be running a password grabber, but I'm thinking more about stolen laptops.) Cheers, - -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: Roy Harrison [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 26 August 2000 1:13 AM > To: [EMAIL PROTECTED] > Subject: SSH > > > I'm trying to set SSH up so that a client cannot log onto a > server unless > the client has been given a key from the server. Either I put it on a > floppy or e-mail it to the client. > > I installed SSH2 server on a linux machine and a client on NT > and linux and > was able to log right on using just the servers password. I > was expecting > more authentication from SSH itself. > > Any help would be welcome. > > Thanks > > > > Roy Harrison > > Research Libraries Group > Servers and Networking Group > Mountain View, CA > 650.691.2326 > [EMAIL PROTECTED] > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] ------------------------------ End of Firewalls-Digest V8 #1187 ******************************** To unsubscribe from Firewalls-Digest, send the following command in the body of a message to "[EMAIL PROTECTED]": unsubscribe firewalls-digest If you want to subscribe or unsubscribe an address other than the account the mail is coming from, such as a local redistribution list, then append that address to the command; for example, to subscribe "local-firewalls": subscribe firewalls-digest [EMAIL PROTECTED] A non-digest (direct mail) version of this list is also available; to subscribe to that instead, replace all instances of "firewalls-digest" in the commands above with "firewalls". Compressed back issues are available for anonymous FTP from Lists.GNAC.NET, in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the volume number, and "MMM" is the issue number). - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
