On 4/18/06, Adrian Irving-Beer <wisq-oclug [ at ] wisq [ dot ] net> wrote: > On Sun, Apr 16, 2006 at 06:47:56PM -0400, Dan Langille wrote: > > > Also, make use of the ssh config file to limit incoming connections > > to known IP addresses. > > > > And best of all, require the use of sshe keys to login, not > > passwords. > > What I do is, I have one secure workstation that has keys to every > system out there, and those keys are accepted from any IP address. > > Any other workstations or servers that need to connect to other > servers have their own client keys. These keys are only accepted from > that specific server's IP, so one cannot grab a key from a given > system and use it to connect from somewhere else. > > Finally, all other authentication methods are disabled, making these > keys the only way to get in. > > To me, this is the best of both worlds, since it limits the damage > that cracking any one key can do. It applies IP-based restrictions > that are actually stricter than just a general "can only SSH from > these IPs" rule, and it still allows me to connect from anywhere in > the case of a problem. I like the idea of using keys instead of passwords. I managed to deny root login (couldn't get it to work when I tried it last time for some reason - may have been case sensitive issue when putting No instead of no). I can't limit to a specific IP as I have a dynamic IP from home, plus I want the ability to log in while roaming. What I was thinking of doing was creating a user with basically no priviledges other than an empty home directory and only allow that user to ssh to the box (with proper key). Then I'd su to a more priviledged user (or root if necessary). That way if the user was compromised, they'd then also have to compromise root or another user account to be able to do anything at all. Being the only local user on that server and therefore the only person who'd ssh to it it's easy for me to use this type of solution. I gather the instructions on how to generate & use keys is documented on the openssh.org web site? I haven't looked yet, but will once I get a chance. Thanks, Jacques B.