klaus@came.sbg.ac.at wrote:
Another solution would be to use tacacs+ with s/key as an authentication and authorization mechanism. Everyone that is succesfully authenticated by your tacacs+ server after supplying his one time password, could gain access to the ssh service of your machine. This way you dont need to configure dynamic dns resolutions.Hi! I want to make ssh-access possible only from a restricted number of hosts - those that are named in /etc/hosts.allow. Users who want to login have a DynDNS host-name that shall be listed in hosts.allow to make it possible for users with a dial-up internet connection, too. BUT: The problem is that I can only login to the ssh-machine when I enter the IP-address to the hosts.allow file. Specifying the hosts DNS-name does not work! AND: I'd prefer to specify the rules for loggin into the machine in the sshd_config-file, not in hosts.allow/deny.But the AllowHosts/DenyHosts-options that could be used in /etc/sshd_config earlier seem to be not any longer available at the SSH-version I'm using. It's: openssh-3.4p1-80 on a SuSE 8.1Has anybody ideas in this 2 problems? thx in advance, Klaus
I also think the ssh daemon has some support for s/key. This could help a bit.
I think public keys are all right, they add a great deal in security, but you'll have to force all users to get their keys. Now, depending on your users level of cooperation and knowledge this might be quite a task.
And then you'll have to add their public keys in their home directories (which means that you have found a secure way of obtaining the keys from the users) and sometimes even modify them in order for your ssh daemon to read them properly. One could argue that you could let the users login using their password and then install themselves the public keys. But again, how many of your users are able to succesfully fulfill this installation?
However, you could perhaps generate yourself the keys, install them and then deliver them (you still need a secure way of delivering).
~kmag p.s. At the end, maybe its just me, with a bad experience with users :-)