[EMAIL PROTECTED] wrote:
Hi!
I want to make ssh-access possible only from a restricted
number of hosts - those that are named in /etc/hosts.allow.
Users who want to login have a DynDNS host-name that shall
be listed in hosts.allow to make it possible for users with
a dial-up internet connection, too.
BUT:
The problem is that I can only login to the ssh-machine
when I enter the IP-address to the hosts.allow file.
Specifying the hosts DNS-name does not work!
AND:
I'd prefer to specify the rules for loggin into the machine
in the sshd_config-file, not in hosts.allow/deny.
But the AllowHosts/DenyHosts-options that could be used in
/etc/sshd_config earlier seem to be not any
longer available at the SSH-version I'm using.
It's: openssh-3.4p1-80 on a SuSE 8.1
Has anybody ideas in this 2 problems?
thx in advance,
Klaus
Another solution would be to use tacacs+ with s/key as an authentication
and authorization mechanism. Everyone that is succesfully authenticated
by your tacacs+ server after supplying his one time password, could gain
access to the ssh service of your machine. This way you dont need to
configure dynamic dns resolutions.
I also think the ssh daemon has some support for s/key. This could help
a bit.
I think public keys are all right, they add a great deal in security,
but you'll have to force all users to get their keys. Now, depending on
your users level of cooperation and knowledge this might be quite a task.
And then you'll have to add their public keys in their home directories
(which means that you have found a secure way of obtaining the keys from
the users) and sometimes even modify them in order for your ssh daemon
to read them properly. One could argue that you could let the users
login using their password and then install themselves the public keys.
But again, how many of your users are able to succesfully fulfill this
installation?
However, you could perhaps generate yourself the keys, install them and
then deliver them (you still need a secure way of delivering).
~kmag
p.s. At the end, maybe its just me, with a bad experience with users :-)
