Re: Securing SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Roland Venter <rolandv@xxxxxxxxxx> [10-Jan-2004 12:52]:
> I need to manage several servers remotely via SSH, I'm interested in ways to
> secure the connection and prevent unauthorised access.
> 
> My thoughts:
> Limit access to only allow remote connections from our management network
> via iptables rules. Works but what if our ISP changes our fixed IP, which
> means we are effectively locked out from all the servers and requires a site
> visit to update the rules.

Check out comments in /etc/security/access.conf.  It seems that you can
use symbolic domain names instead of IP address.  This should give you
more freedom.

Alternatively, you can have a script that regenerates your iptables
ruleset once in a while (say daily).  This script can take a list of IP
address allowed to access from some external source, such as an LDAP
directory.  This way, in case of any IP change, you will have to only
update your central storage and all hosts will use the information
within the update period.  Just an idea. :)

> We also need to provide access to engineers working from home using dialup,
> etc
> Some sort of client certificates to supplement username and password,
> Recommendations on securing the SSH daemon etc
> Any ideas and tips appreciated

openssh does support key-based autorization.  Check out "man ssh" and
"man ssh-keygen".

-- 
 Leonid Mamtchenkov.
 http://www.leonid.maks.net

BOFH: We're on Token Ring, and it looks like the token got loose.




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux