On Wed, Oct 22, 2003 at 10:03:23PM -0400, Gene Mats wrote:
Hello,
I am having a problem with activating SSHD Host Based Authentication on
my
FreeBSD OS. Below is my /etc/ssh/sshd_config file.
HostbasedAuthentication yes
PermitRootLogin no
VerifyReverseMapping yes
IgnoreRhosts yes
IgnoreUserKnownHosts yes
My /etc/hosts.equiv and /etc/shosts.equiv have a few specific hostnames.
But
it seems I can still connect from any host -(.
How can I block ALL hosts access to my SSHD. I tried putting in a minus
minus in the /etc/hosts.equiv and /etc/shosts.equiv and I have the
HostbasedAuthentication setting turned to up to yes. Still no success.
Any help would be appreciated.
Yes -- {,s}hosts.equiv don't control what hosts you can connect from,
only what hosts will be allowed to bypass the usual authentication
step.
To prevent remote hosts connecting to your sshd(8), you can use
tcpwrappers (/etc/hosts.allow) or you can set up a firewall to filter
incoming packets to port 22.
Do you really need to use host based access control? It is not
generally recommended nowadays -- too many possibilites for spoofing
or other nastyness unless you really know what you're doing and the
rest of your network infrastructure is pretty bullet proof. It's
generally held to be preferable to use key based authentication --
these can be passwordless keys for unattended oporation, and you
should make full use of the features of the ~/.ssh/authorized_keys
file that limit what hosts may connect and what commands they run
using any particular key.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
pgp0.pgp
Description: PGP signature