Jordan Erickson wrote: > (I apologize in advance for my harsh tone, I truly mean no offense. I'm > just, for whatever reason, pretty hell-bent as Rob says, about this. ;) ) > > David Burgess wrote: >> Sure, but this setup doesn't prevent h4xorz in the far east from >> breaking into my server on 13-year-old Kevin's account using his weak >> password. I really couldn't care less if my clients access the server >> on port 22 and my admins access it remotely on port 22, so long as my >> clients' access is limited to the local interface. Show me how to >> disable password authentication on the WAN interface, or how to apply >> the AllowUsers option to only the WAN interface and I'll drop my case. >> > **Like I said, run 2 instances of sshd, the second being with a -f > /path/to/secondary/config. Done. Problem solved. This is simple *nix > sysadmin stuff here. > So tell me where you run this command that calls the secondary config file.
I'll tell you how I did it: I created an init script to do it. That required creating a file in /etc/default and in /var/run, and making numerous changes to the init script. If you have an easier way, I'd like to know. >> I'm not criticising the ltsp team. I love what they provide. And I'm >> not asking anybody--I hope--to change the way your ssh server or ltsp >> server operates. I simply think it would be a boon to the project to >> remove some of the pain in creating what I suspect would be a fairly >> popular scenario among ltsp admins and facilitate the ability to >> access the server remotely without compromising the very good security >> provided by the OpenSSH server. >> > > LTSP doesn't compromise the security of openssh-server by simply > utilizing its facilities for a specific purpose. You're compromising the > security of openssh-server by: > > 1) Using weak passwords Even strong passwords are weak compared to public-key authentication with a decent passphrase, which is why I *always* disable password authentication on ssh daemons exposed to the WAN. > 2) Opening a remote login service to the Internet as a whole and not, at > the very least, limiting access on a per-IP basis I don't have a static IP address at home, so on machines I need to administer from home I have to allow access to a range of IPs. I assume you're in the same boat. This is one of the reasons I won't allow password authentication on the WAN. -Rob ******************************************************** The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If you are not the addressee, any disclosure, reproduction, copying, distribution, or other dissemination or use of this transmission in error please notify the sender immediately and then delete this e-mail. E-mail transmission cannot be guaranteed to be secure or error free as information could be intercepted, corrupted lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard copy version. ******************************************************** ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
