HPE Community
Operating System - HP-UX
1760251 Members
2732 Online
108893 Solutions
New Discussion юеВ

sshd - connection between client & server

 
SOLVED
Go to solution
Tal Drigov_2
Advisor

тАО04-28-2005 08:56 PM

тАО04-28-2005 08:56 PM

sshd - connection between client & server

Hello,

I have Secure Shell version A.03.91.002 installed on my HP-UX 11.00 workstation.

I would like to configure the sshd in a matter that ONLY a client (e.g: Windows client with putty or Secure Net Term) with a private/certain key will be able to connect and recieve a prompt for a login.

Eventually to achieve a goal of which effect that clients with no such key will be denied and won't even recieve a prompt for login at all!!!

Please help, it's quite urgent.

Thanks in advance,
Tal.
If it's ain't broken, don't fix it...
0 Kudos
8 REPLIES 8
Jannik
Honored Contributor

тАО04-28-2005 09:04 PM

тАО04-28-2005 09:04 PM

Re: sshd - connection between client & server

Create a key...
Make sure it works!

Then go itu your sshd_config on the server (/opt/ssh/etc/sshd_config) and cahnge:

#PasswordAuthentication yes
to
PasswordAuthentication no

Remember to restart you sshd service after the change :-)
jaton
0 Kudos
RAC_1
Honored Contributor

тАО04-28-2005 09:53 PM

тАО04-28-2005 09:53 PM

Re: sshd - connection between client & server

There are couple of ways to do that.
1. Run sshd as a service through inetd.conf (you will have to use -i option to sshd)

Then allow certain ip addresses to connect in /var/adm/inetd.sec file. Something as follows.
sshd allow ip_address1, ip_address2

2. The hp ssh comes with built in tcp wrappers. so prepare /etc/hosts deny file. (somethign as follows.)

sshd : ip_address1, ip_address2

Restart sshd.

Anil
There is no substitute to HARDWORK
0 Kudos
Denver Osborn
Honored Contributor

тАО04-28-2005 10:03 PM

тАО04-28-2005 10:03 PM

Solution

Re: sshd - connection between client & server

Another option to keep it simple is to edit the /opt/ssh/etc/sshd_config file and add the line "AllowUsers username@windowshost" then restart sshd. This will accomplish what you need. The only allowed logins would be those listed in the AllowedUsers line of the sshd_config file. Wildcards are permitted.

Hope this helps,
-denver
0 Kudos
Tal Drigov_2
Advisor

тАО04-29-2005 01:40 AM

тАО04-29-2005 01:40 AM

Re: sshd - connection between client & server

Jannik,

Thanks for your reply.

How do I create a key ?
ssh-keygen ?

Tal.
If it's ain't broken, don't fix it...
0 Kudos
Rouchon_2
Occasional Advisor

тАО04-29-2005 02:06 AM

тАО04-29-2005 02:06 AM

Re: sshd - connection between client & server

The best way to do that is to use TCPWrapper. after installing tcpwrapper you just have to set permissions in /etc/host.allow /etc/host.deny
your host.allow should look like that:

SSHD:

to create key use ssh-keygen -t dsa if you want to logging without password prompt then just type enter when prompted for passphrase. Also after creating the key on the client you must copy the public key in the .shh/authorized_key2 of the user home directory that you want to be able to log in.
0 Kudos
Tal Drigov_2
Advisor

тАО04-29-2005 02:29 AM

тАО04-29-2005 02:29 AM

Re: sshd - connection between client & server

Thanks for the advises but I would like to do something else.

I would like only the host & the client to have a key, which means, a client that does NOT have a private key won't be able to even login....
If it's ain't broken, don't fix it...
0 Kudos
Denver Osborn
Honored Contributor

тАО04-29-2005 03:22 AM

тАО04-29-2005 03:22 AM

Re: sshd - connection between client & server

Tal,

Here's one way I would do it.

1) setup the public/private key pair for the windows client (not sure how to do this on your windows client, but it's ssh-keygen on unix). Put the public key in the ~/.ssh/authorized_keys file on the hp-ux box.

2) setup sshd_config to only allow PublicKey Authentication type.
3) use "AllowUsers username@client" in the sshd_config
4) restart sshd
5) test login from allowed host using keys, then test from a host isn't allowed (should get permission denied)

If you deny all authentication except for PubKey, then anyone w/out the correct identiy file will get "permission denied" when they try to connect. Using the "AllowUsers" list further restricts the setup in the event that your pubkey were used form another host.

Hope this helps,
-denver
0 Kudos
Tal Drigov_2
Advisor

тАО04-29-2005 08:46 AM

тАО04-29-2005 08:46 AM

Re: sshd - connection between client & server

I couldn't exchange keys in such matter that only the server and the client will be able to connect.

So I have to go with AllowUser function instead.

If it's ain't broken, don't fix it...
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.