Hello,
> But, at the conference, she plugs her laptop into the remote network
> and receives an IP assignment, perhaps statically or via dhcp, and
> tries to ssh home. What happens? Will she get through?
Is there a firewall at the conference site? Will it let outbound TCP
traffic on port 22 pass?
Is there a firewall at your site? Will it let inbound -''-?
Which version(s) of ssh are you using?
With or without TCP Wrappers?
> At present, I've configured sshd to do StrictHostChecking. Why? Because I
Sorry to appear stupid, but I can't find this parameter either in the
man pages or source code of 1.2.27 or 2.0.13 either. What does it do?
However, there is a parameter in the config file of 2.0.13 that might be
relevant and is on by default ("RequireReverseMapping"). It is not
documented in the sshd2 2.0.13 manpage dated Apr 29, 1999. What I assume
this does is that if you are connecting from an IP address that does not
reverse map back to a DNS name at all the connection will be refused.
Now it would not make much sense for a site to not have reverse mapping
for its DHCP addresses, but it is possible. In this case the connection
would be refused.
> don't know any better and I figure being more restrictive at the beginning
> is a good place to start until I understand the implications of removing it.
DNS-based "authentication" doesn't do the job anyway.
Assuming the basic IP connectivity is in place, you might choose to
restrict access so that the user could not connect with a password from
a remote location but only using their public/private key pair. This
leaves the problem of the private key being somehow got. There's two
things to protect against this; protecting the key with a passphrase,
but since this is user-modifiable, forcing the use of an encrypting
filesystem on the laptop (without user-modifiable passphrases) to make
sure that the key file is safe in case the laptop gets into the wrong
hands.
That help you?
--
Atro Tossavainen - email available at URL below - +358-9-850-111-86
http : / / www . iki . fi / atro . tossavainen /
