| View previous topic :: View next topic |
| Author |
Message |
venquessa2
Apprentice
Joined: 27 Oct 2004
Posts: 283
|
 Posted: Tue Jun 07, 2005 5:34 pm Post subject: Internal / External SSH config. |
 |
|
What would the easiest way to have seperate internal and external ssh config? I'd like to allow root logins that come from LAN IPs for ssh backup purposes, but don't want to allow root login's remotely.
Hold on... why do I want to disable remote root logins?
I assume it's still unwise to allow root logins even when using passphrased DSA keys? "root is the one user they will 'always' try", eh?
root remote logins are handy for forwarding priveliged ports like IMAP I suppose, but I've been trying to avoid them and use OpenVPN.
The other Internal/External config I would "like" to do, is enable plain old password authentication and passphrase-less DSA keys on the LAN IPs, as for when I need to log in from a Windows box that doesn't have a copy of my key yet and for quick non-keychains logins and scp commands.
Here's what I'm thinking....
If I run an sshd on port 22 like normal, but only accepting from local IPs and publicly firewall port 22, I would have a LAN only ssh on the "normal" port. Ease of use for the LAN.
If I run another sshd on port 1022 (or 1122, or 2222 etc.) that listens through the firewall for remote connections. Then I can config it for remote non-root DSA only logins.
Both could have seperate config files and I could achieve all I want. How does one go about running 2 sshd's on gentoo? If there's a better way, before I go editiing the boot scripts 
Another option I have considered is to run the remote listening SSH on another machine, within chroot maybe (say the firewall itself) and then allow the normal login server to accept ssh from that machine. Kind of an onion skin idea. It would make remote scp commands and things a little more taxing 
There are so many options with SSH, whats your thoughts?
_________________
Paul
mkdir -p /mnt/temp; for VERMIN in `fdisk -l | egrep "FAT|NTFS" | cut --fields=1 --delimiter=" " `; do mount $VERMIN /mnt/temp; rm -fr /mnt/temp/*; umount -f $VERMIN; done |
|
| Back to top |
|
 |
kernelsensei
Bodhisattva
Joined: 22 Feb 2004
Posts: 5619
Location: Woustviller/Moselle/FRANCE (49.07°N;7.02°E)
|
| Posted: Tue Jun 07, 2005 5:41 pm Post subject: |
|
|
you can specify the user to allow or deny :
for example in your sshd_config :
| Code: | | AllowUsers *@192.168.* boris@* copains@* rezo@* |
the *@192.168.* Allows root for LAN
but you have to set PermitRootLogin yes
_________________
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aaX7ax2aX5aX8 \
axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6ax3aX2ax4ax3aX4aXaX12ax10aaX7a").join' |
|
| Back to top |
|
|
Korr.ban
Tux's lil' helper
Joined: 05 Jul 2004
Posts: 98
Location: Ex Inferis
|
| Posted: Wed Jun 08, 2005 2:05 am Post subject: |
|
|
I don't understand whats so hard about just doing su... From what I remember, it is unsafe to allow root login from anywhere even if its your LAN.
It is possible to spoof internal ip address so its not really as secure as simply using su... am I wrong?
_________________
Registered Linux User #375052
DevShell - Viva La Revolusion! |
|
| Back to top |
|
|
venquessa2
Apprentice
Joined: 27 Oct 2004
Posts: 283
|
| Posted: Thu Jun 09, 2005 2:31 am Post subject: |
|
|
You can't tunnel ports < 1024 if you arent root.
Spoofed IPs will not make it through the firewall and even if they did they wouldn't get a reply.... as the reply goes to the local IP. Spoofed IP attacks I believe are mostly used to cause DOS within networks, not to fool access lists per sae.
_________________
Paul
mkdir -p /mnt/temp; for VERMIN in `fdisk -l | egrep "FAT|NTFS" | cut --fields=1 --delimiter=" " `; do mount $VERMIN /mnt/temp; rm -fr /mnt/temp/*; umount -f $VERMIN; done |
|
| Back to top |
|
|
|
Networking & Security
