Brian:
Read the /etc/sshd_config file (assuming you are speaking of
ssh 1.x - for ssh2 , you want to look at the files in
/etc/ssh2 if you are using default configs)
Here are the relevant lines from a default file:
-snip-
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
-snip-
As you can see, the options are configurable, at the ssh
daemon follows these configuration rules. As with anything
else, most aptions are available - you need to configure
them per your needs.
So you could set up ssh to do only RSA authentication /
password and RSA authentication / *any* authentication
On a server where security is a necessity, .rhost or
hosts.equiv or similar authentication methods are mostly a
very definite no-no .
Trust this helps. If you need more detail, we could take
this offline - reply to me only.
Cheers,
Mani
----- Original Message -----
From: "Brian J. Dyrehauge" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 30, 2000 6:52 AM
Subject: Telnet vs SSH
| Hi there,
|
| I want the following setup:
|
| Internet
| Firewall
| Webserver
| Firewall
| Intranet
|
| What I need, is to be able to logon to the Webserver from
the Intranet, using userid/password on the webserver, and
that has to be encrypted in the DMZ, as hackers easily can
sniff from the DMZ (if you disagree then please tell me
why).
|
| To logon to the webserver, one could use telnet, but that
is not encrypted.
| There's one could also use SSH, but all that I know about
SSH is that where I worked before, root used it to gain
root-access to all other machines, using the '.rhosts'-file,
without needing to supply a new userid/password to the other
machines. That's pretty bad as well, I think.
|
| Now my question is, is it possible to use SSH and still
require supplying userid/password to the Webserver?
| If not, then what would you suggest?
|
| Yours sincerely,
| Brian J. Dyrehauge
| Newbie IT Security Consultant
|
| -
| [To unsubscribe, send mail to [EMAIL PROTECTED]
with
| "unsubscribe firewalls" in the body of the message.]
|
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
