[Linux4christians] Kubuntu, SSH, and Putty on a Windows box
moreejt at xperienceinc.com
Mon Aug 14 08:29:57 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Matthew Lewis wrote:
> Thanks, that did it. Apparently there's something somewhere that
> prevents proper operation if the permissions aren't exactly right,
> because 777 (as I understand it) is pretty much full access,
> everyone-can-do-what-they-want, right?
yes, that is an ssh 'feature'. It wont run with the wrong permissions.
> So anyway, I'm back in and it's working great. Just to run down what
> I've done for security, here it is:
> Disabled root login
> Disabled password authentication
> Disabled challenge response authentication
> Disabled Rhosts RSA authentication
> Disabled host-based authentication
> Disabled RSA authentication
> Enabled privilege separation
> Enabled strict mode
> Disabled sftp
> Disabled X11 forwarding
> Set PermitEmptyPassword (in sshd_config) to 'no'
> Set IgnoreUserKnownHosts to 'yes'
> Set MaxAuthTries to '3'
If you want it to be even more secure then unplug the network cable.
Seriously, there is a balance between security and usability. Each
person has to decide that balance for themselves. If you don't ever
need any of those features then disabling them is fine.
> One thing that concerns me is that, once logged in to SSH, I can run
> sudo commands just as though I were physically sitting at the computer
> I'm SSH'ing to. That's handy, but is it secure? Really, I only need
Yes, *nix does not differentiate on the basis of location. It is one of
the best things about it. Unlike some other OS's you don't have to be
sitting in front of it to get things done.
> SSH in order to edit three or four specific files and run one or two
> specific commands (which do require sudo under normal circumstances).
> Is there any way to lock down SSH logins to only allow those specific
> functions, and if so, is this necessary or desireable?
There is probably a utility to do that but i dont know. you might
ssh limit access
PC Xperience, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v126.96.36.199 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the Linux4christians