Hello,
I'm trying to configure ssh for my userbase in a manner that is as easy
as possible for them to use - preferrably as an invisible replacement
for rsh.
My first take on this was to implement ssh's improved hostbased
authentication system.
Reading through the docs, I foudn that it's not seen as secure enough to
be enabled by default, but in searching the web I haven't been able to
find a real discussion of what the risks and/or concerns were, and what
other steps can be taken to reduce or eliminate them.
Any thoughts?
My situation is a farm of machines, where account information is
centrally controlled, and distributed by NIS. I plan on also centrally
controlling the master ssh_known_hosts file, and the /etc/shosts.equiv
file. rsh will either be removed or linked to ssh, and in.rshd will be
disabled. I'd prefer to configure ssh to ignore user's .rhosts files also.
Reading the docs about the configuration settings that be set on this, I
had decided to try this combo:
Protocol 2
HostbasedAuthentication yes
IgnoreRhosts yes
There seem to be other (somewhat related) options, but unless I'm
reading things wrong, they only apply to Version 1 of the protocol.
Is there a better way to do all this? Maybe I'm just missing something?
Any thoughts? advice?
-Kyle
