FW: [clug] SSH attack]
Sam Couter
sam at couter.dropbear.id.au
Fri Jul 29 12:56:45 GMT 2005
Robert Edwards <Robert.Edwards at anu.edu.au> wrote:
>
> Seems to me that neither TCP wrappers, nor a firewall, can provide what
> people really want from a proper SSH access control, namely, to limit
> access by arbitrary combinations of:
> - username
> - authentication method (password, keys, pass-phrase etc.)
> - SSH version (1,2 etc.)
> - source IP address (whether or not it reverse-DNS resolves properly)
> - application to be run (in some cases)
> - number of unsuccessful attempts in past X hours
I think the standard PAM modules can do most of this already, plus more
(like time-based access control).
If the auth stack is called, then they're doing the authentication,
otherwise it was by public key. If it's by public key, I don't think the
server knows or cares whether the private half has a passphrase.
The SSH protocol version is probably hard to pass to PAM, but I think
the rest is covered. Oh, except the desired command to run, but SSH
partially handles that with the "command" option in authorized_keys.
--
Sam "Eddie" Couter | mailto:sam at couter.dropbear.id.au
Debian Developer | mailto:eddie at debian.org
| jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20050729/0fd6f261/attachment.bin
More information about the linux
mailing list