[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SSH Authentication

Subject: Re: SSH Authentication
From: Tom Limoncelli <email@hidden>
Date: Thu, 1 Sep 2005 12:52:16 -0400
Delivered-to: email@hidden
Delivered-to: email@hidden

On Aug 29, 2005, at 10:26 PM, Josh Wisenbaker wrote:

On Aug 29, 2005, at 7:33 PM, Edward Marczak wrote:
On Aug 29, 2005, at 8:35 AM, Jose L. Hales-Garcia wrote:
On Jul 17, 2005, at 7:44 PM, Chad Morris wrote:
I need my users to be able to connect to my OD Master via SSH. The users are in the LDAP directory. Is this possible?

I would just add that you should secure your server against SSH brute force probes. There is a great deal of it going on. On server product root has a shell and by default SSH is configured to allow remote root access. I highly recommend turning this behavior off. It can be done using the firewall or with other products like snort. But the quick way is to set PermitRootLogin to no in file /etc/sshd_config.
...and then you'll completely clobber the ability the ability for OD replicas to sync. Fine in some cases, of course, but catches others by surprise.
Messing with SSH just messes with replica creation. Regular replication will be fine.

"PermitRootLogin without-password" is another option to consider. It permits you to log in as root only if your have pre-arranged public/ private keys, which can be locked to particular IP addresses. It still permits you to log in with root's password on the console for emergencies, but prevents someone from trying to do a brute-force password guessing attack.

I'm not sure if this messes with replica creation or not. (and if it does, someone should file a bug against ssh_command).

I believe I found this tip in "Firewalls and Internet Security" by Bellovin, Cheswick and Rubin as a way to protect the root password from exposure.

Tom

______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ Do not post admin requests to the list. They will be ignored. Macos-x-server mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden

Prev by Date: Re: not so simple Tiger AFP share permissions??
Next by Date: Boot to 640x480
Previous by thread: Re: not so simple Tiger AFP share permissions??
Next by thread: Boot to 640x480
Index(es):
- Date
- Thread

Home