FW: [clug] SSH attack]

Sam Couter sam at couter.dropbear.id.au
Fri Jul 29 12:56:45 GMT 2005

Robert Edwards <Robert.Edwards at anu.edu.au> wrote:
> Seems to me that neither TCP wrappers, nor a firewall, can provide what
> people really want from a proper SSH access control, namely, to limit
> access by arbitrary combinations of:
>  - username
>  - authentication method (password, keys, pass-phrase etc.)
>  - SSH version (1,2 etc.)
>  - source IP address (whether or not it reverse-DNS resolves properly)
>  - application to be run (in some cases)
>  - number of unsuccessful attempts in past X hours

I think the standard PAM modules can do most of this already, plus more
(like time-based access control).

If the auth stack is called, then they're doing the authentication,
otherwise it was by public key. If it's by public key, I don't think the
server knows or cares whether the private half has a passphrase.

The SSH protocol version is probably hard to pass to PAM, but I think
the rest is covered. Oh, except the desired command to run, but SSH
partially handles that with the "command" option in authorized_keys.
Sam "Eddie" Couter  |  mailto:sam at couter.dropbear.id.au
Debian Developer    |  mailto:eddie at debian.org
                    |  jabber:sam at teknohaus.dyndns.org
OpenPGP fingerprint:  A46B 9BB5 3148 7BEA 1F05  5BD5 8530 03AE DE89 C75C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20050729/0fd6f261/attachment.bin

More information about the linux mailing list