13 February 2007

ssh security features

ssh offers ssh keys as a nice alternative to password authentication, and putty is a pretty cool ssh client for Windows. There's a good tutorial on howtoforge which discusses many of the features of the putty suite including key generation (puttygen) and putty's ssh-agent (pagent).

And as the above article mentions, the PasswordAuthentication option in sshd_config can be cleared to force the use of ssh keys (password authentication will be disabled).

AllowUsers is another good sshd_config option. It can be used to provide a list of users who can connect via ssh. Any user not in this list can't connect by ssh. It's good for defeating ssh scans which try a few passwords against common account names (like root, guest, etc.). Another trick that might help dodge ssh scans is to run ssh on a port other than 22. The ListenAddress sshd_config option can be used to run ssh on some other (non-standard) port.

A nice trick for your ~/.ssh/authorized_keys file is to specify source hosts from which you can connect using certain keys. If you have the following in your authorized_keys file, then the key in question can only be used for connections from the hosts listed in the from list:
from="this_host,that_host" ssh-dss ...key data... USER@HOST
(This is discussed in the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page.)

Finally, the denyhosts project claims to be able to do dynamic edit to the tcpwrappers files (/etc/hosts.deny) when dictionary attacks are detected. It would probably be really useful for a server with lots of ssh users that need to log in from anywhere/everywhere.

No comments: