HPE Community
Operating System - HP-UX
1753829 Members
8877 Online
108806 Solutions
New Discussion юеВ

Re: Sshd deamon tightening

 
Marie-Josee Cormier
Advisor

тАО12-10-2008 10:53 AM

тАО12-10-2008 10:53 AM

Sshd deamon tightening

Hey admins! :D

I need your help, we just installed the ssh deamon + upgrade of all of our telnet client for SSH support.

I've tighted the sshd_config a bit(No permit root login, set the MaxAuthTries to 4 and LoginGraceTime to 1m.

But still, I don't have the nicest thing that the telnet deamon did for us, locking the account after x tries.

Is this doable?

Thanks for your help!!

0 Kudos
Reply
5 REPLIES 5
Avinash20
Honored Contributor

тАО12-10-2008 11:03 AM

тАО12-10-2008 11:03 AM

Re: Sshd deamon tightening

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1267714

Chk if this helps
"Light travels faster than sound. That's why some people appear bright until you hear them speak."
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО12-10-2008 11:25 AM

тАО12-10-2008 11:25 AM

Re: Sshd deamon tightening

Shalom,

Take a look at the sshd_config file. There are wonderful options in there.

You can for example prevent root login without key exchange. At my prior employer we did that before exposing an sftp server tot he public Internet.

There is a lot of customization that can be done there.

For all the nice things that you could do with telnet, telnet is a daemon with unencrypted authentication. Any value you get from options is lost by transmitting passwords across the network in clear text.

It is possible for you to run a script against lastb output and disable accounts via that method. Its highly effective.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Matti_Kurkela
Honored Contributor

тАО12-10-2008 12:41 PM

тАО12-10-2008 12:41 PM

Re: Sshd deamon tightening

Which version of ssh are you using?

The current versions available for free from software.hp.com certainly can lock the account after too many invalid password attempts. But if you have dredged up an ancient version from somewhere, or have compiled your own version from the OpenSSH source code, it might not interface properly with the PAM libraries of HP-UX.

MK
MK
0 Kudos
Reply
Marie-Josee Cormier
Advisor

тАО12-11-2008 05:50 AM

тАО12-11-2008 05:50 AM

Re: Sshd deamon tightening

It's version.
SSH-2.0-OpenSSH_5.1. I downloaded it from
http://hpux.cs.utah.edu/ pre compiled.

In my sshd_config file, I got
UsePAM no

Could it be only it? Would I have to make other changes to make it work?

Thanks!
0 Kudos
Reply
Olivier Masse
Honored Contributor

тАО12-11-2008 06:23 AM

тАО12-11-2008 06:23 AM

Re: Sshd deamon tightening

May I suggest you use HP-UX Secure Shell unless you really need to use the stock OpenSSH. HP keeps it reasonably current with OpenSSH, takes care of security patches,
and you'll have the advantage of it being officially supported.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.