Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
|
ssh [2015/06/01 17:30] steve |
ssh [2015/07/17 15:21] steve |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| * [[dropbear]] | * [[dropbear]] | ||
| * [[OpenSSH]] | * [[OpenSSH]] | ||
| - | |||
| - | ==== Policy ==== | ||
| - | |||
| - | Users need to be in ''ssh-users'' group to be granted SSH access to a server. | ||
| - | |||
| - | Root access through SSH is denied. | ||
| - | |||
| - | Public-key authentication is the only login method. | ||
| - | |||
| - | On systems where we have root access, a ''dtrike'' account will be created. This user will have root access through sudo. The user will also allow anyone with a public key access. | ||
| - | |||
| - | For clients who want to have access without public keys, a second SSH server will be run on port 222 (dropbear) with IP address restriction. | ||
| === Managing Keys === | === Managing Keys === | ||
| Line 77: | Line 65: | ||
| iptables -A rate-limit -j DROP | iptables -A rate-limit -j DROP | ||
| iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | ||
| + | </code> | ||
| + | |||
| + | ==== Gotchas ==== | ||
| + | |||
| + | ** Running ''ssh'' in a while loop exits early ** | ||
| + | |||
| + | ''ssh'' may be reading things from stdin, so pipe ''/dev/null'' to it directly: | ||
| + | |||
| + | <code> | ||
| + | ssh < /dev/null | ||
| </code> | </code> | ||
