Way OT: SSH worries

William Burns William.Burns at AEROFLEX.COM
Tue Aug 17 01:15:58 IST 2004


<x-flowed>
I wrote a script to turn sshd on+off that gets called by inetd.
I telnet to a specific port, type in a "pass-phrase", and my sshd starts
(on a non-standard port, only allowing connections from specific subnets)
Then I run ssh.
After I exit the ssh session, I telnet to that same "specific port", and
type in the turn-off-ssh "pass-phrase", and sshd shuts down again.

Since sshd is only needed to initiate an ssh session, I could even turn
on the sshd for the brief moment that it takes for me to start my ssh shell.
This was pretty easy to set up.
Now, unless someone finds a TELNET vulnerability, I'm pretty safe.

I've always been paranoid about ssh, because I assumed it inherited
"worst-practices" from rsh, and I never found a how-to on configuring
sshd to ignore all the per-user config files that rsh supported.

-Bill

Alex Neuman wrote:

>Reminds me of those "less filling vs. tastes great" deals. Why not both?
>I'm seriously considering:
>
>1. Only having one account authorized to log in using SSH,
>2. On an obscure port
>3. Using keys only (no passwords)
>4. From a specific number of locations with the same exact requirements.
>
>

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list