[clug] mc-root anyone?
Daniel Pittman
daniel at rimspace.net
Fri Jun 19 03:21:34 GMT 2009
Michael Cohen <scudette at gmail.com> writes:
> As a matter of habbit I always set up port knocking on internet facing
> SSH servers. Its a good way of protecting your servers against future
> vulnerabilities and also keeping your logs clean.
You would do just as well using another, more standard, protocol to exchange a
password with the client before opening your firewall; "port knocking" is
absolutely no more secure than anything else, and is less widely used, so less
widely tested.
Something like authpf (ssh based, non-Linux) or an HTTPS secured page
exchanging username and password would be a better choice.
[...]
> Now does anyone know a way to automate the knocking from within
> ~/.ssh/config ? I typically have to write a 2 line shell script wrapper for
> each host which seems a bit hackish.
You could use the ProxyCommand stuff to tunnel for you, using something like:
ProxyCommand ~/bin/ssh-proxy %h %p
~/bin/ssh-proxy:
#!/bin/sh
/usr/bin/knock # or whatever
/usr/bin/nc "$1" "$2"
You lose the direct IP to ssh key binding check, thanks to the proxy command,
but you gain the ability to do more complicated things to establish the
connection.
Regards,
Daniel
More information about the linux
mailing list