[TAG] Question about restricting SSH access and open access to a specific computer

Suramya Tomar security at suramya.com
Wed Jan 18 18:02:32 MSK 2006 

Hi Raj,
  I was going to reply to everyone who responded in one email but 
remembered in time that doing that would bring the warth of the editors 
on me so I desisted. ;)

> Instead of restricting users based on their IPs why not use ssh key
> based authentication ? Copy your id_dsa.pub or id_rsa.pub keys to the
> ~/.ssh/authorized_keys file (in your server) and set
> PasswordAuthentication to No in /etc/ssh/ssh_config (a good idea before
> disabling password authentication will be first test if you key based
> authentication works or not). Check here for more ssh agent magic
> http://www.securityfocus.com/infocus/1812

Hmm.. Didn't think of that. That sounds like a good idea.. Now all I 
have to do is convince my sister and room mate to use ssh key based 
login. Considering it took me over 3 months to get them to use sftp 
instead of ftp to access my box I think it might take a while.

Actually is there some way to restrict access to a particular account to 
the local LAN? If thats the case then that would solve my problem as I 
could then restrict access to their account to the LAN and have my 
account accessable over the web. (I don't think that they choose 
particularly strong passwords)

> 
> The only caveat that I can think of this method is if you lose your
> ~/.ssh or if you want to login from someplace other than your own box.
> One of my friends carries his ssh & gpg keys everywhere with him in a
> small pocket sized cd.  I have my ssh keys on my work desktop, which is
> behind a DMZ. 

I guess I will start carying my files on my usb key or iPod.

Thanks for the help.

Cya,
  Suramya

-- 
----------------------------------------------------------
Mountain Dew and doughnuts... because breakfast is the
most important meal of the day
----------------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************

More information about the TAG mailing list