topic Re: sshd - connection between client & server in Operating System - HP-UX

sshd - connection between client & server

Tal Drigov_2 — Fri, 29 Apr 2005 03:56:08 GMT

Hello,

I have Secure Shell version A.03.91.002 installed on my HP-UX 11.00 workstation.

I would like to configure the sshd in a matter that ONLY a client (e.g: Windows client with putty or Secure Net Term) with a private/certain key will be able to connect and recieve a prompt for a login.

Eventually to achieve a goal of which effect that clients with no such key will be denied and won't even recieve a prompt for login at all!!!

Please help, it's quite urgent.

Thanks in advance,
Tal.

Re: sshd - connection between client & server

Jannik — Fri, 29 Apr 2005 04:04:50 GMT

Create a key...
Make sure it works!

Then go itu your sshd_config on the server (/opt/ssh/etc/sshd_config) and cahnge:

#PasswordAuthentication yes
to
PasswordAuthentication no

Remember to restart you sshd service after the change :-)

Re: sshd - connection between client & server

RAC_1 — Fri, 29 Apr 2005 04:53:42 GMT

There are couple of ways to do that.
1. Run sshd as a service through inetd.conf (you will have to use -i option to sshd)

Then allow certain ip addresses to connect in /var/adm/inetd.sec file. Something as follows.
sshd allow ip_address1, ip_address2

2. The hp ssh comes with built in tcp wrappers. so prepare /etc/hosts deny file. (somethign as follows.)

sshd : ip_address1, ip_address2

Restart sshd.

Anil

Re: sshd - connection between client & server

Denver Osborn — Fri, 29 Apr 2005 05:03:15 GMT

Another option to keep it simple is to edit the /opt/ssh/etc/sshd_config file and add the line "AllowUsers username@windowshost" then restart sshd. This will accomplish what you need. The only allowed logins would be those listed in the AllowedUsers line of the sshd_config file. Wildcards are permitted.

Hope this helps,
-denver

Re: sshd - connection between client & server

Tal Drigov_2 — Fri, 29 Apr 2005 08:40:08 GMT

Jannik,

Thanks for your reply.

How do I create a key ?
ssh-keygen ?

Tal.

Re: sshd - connection between client & server

Rouchon_2 — Fri, 29 Apr 2005 09:06:51 GMT

The best way to do that is to use TCPWrapper. after installing tcpwrapper you just have to set permissions in /etc/host.allow /etc/host.deny
your host.allow should look like that:

SSHD:

to create key use ssh-keygen -t dsa if you want to logging without password prompt then just type enter when prompted for passphrase. Also after creating the key on the client you must copy the public key in the .shh/authorized_key2 of the user home directory that you want to be able to log in.

Re: sshd - connection between client & server

Tal Drigov_2 — Fri, 29 Apr 2005 09:29:08 GMT

Thanks for the advises but I would like to do something else.

I would like only the host & the client to have a key, which means, a client that does NOT have a private key won't be able to even login....

Re: sshd - connection between client & server

Denver Osborn — Fri, 29 Apr 2005 10:22:30 GMT

Tal,

Here's one way I would do it.

1) setup the public/private key pair for the windows client (not sure how to do this on your windows client, but it's ssh-keygen on unix). Put the public key in the ~/.ssh/authorized_keys file on the hp-ux box.

2) setup sshd_config to only allow PublicKey Authentication type.
3) use "AllowUsers username@client" in the sshd_config
4) restart sshd
5) test login from allowed host using keys, then test from a host isn't allowed (should get permission denied)

If you deny all authentication except for PubKey, then anyone w/out the correct identiy file will get "permission denied" when they try to connect. Using the "AllowUsers" list further restricts the setup in the event that your pubkey were used form another host.

Hope this helps,
-denver

Re: sshd - connection between client & server

Tal Drigov_2 — Fri, 29 Apr 2005 15:46:47 GMT

I couldn't exchange keys in such matter that only the server and the client will be able to connect.

So I have to go with AllowUser function instead.