Wednesday, February 15, 2006

Good practices if enabling SSH remote login

MacInTouch: timely news and tips about the Apple Macintosh

[MacInTouch Reader 2] This is a good time to mention what I'm sure has been mentioned before - since you can't count on users *not* reusing their login creds elsewhere (or using weak passwords) - you can limit who can remotely login to your Mac with a simple addition to your sshd config. Just add:
AllowUsers dad mom
to /etc/sshd_config and then stop/start remote login using System Preferences -> Sharing.
Now only 'dad' and 'mom' can login remotely, so when daughter lets her login creds out of the bag (or you create a user/pass like 'guest/guest' or 'test/test') you're not wide open to attack.

[David Charlap] In my case, I want to allow any user to log in from my LAN or from my office computer, but I don't want to allow any account to log in from the internet. This can be done by editing /etc/hosts.allow and /etc/hosts.deny:
My /etc/hosts.deny is set up to deny everything (only allowing what hosts.allow explicitly permits). It contains:
My /etc/hosts.allow has rules that allow all services to accept connections from my LAN (192.168.1.*) and ssh logins from my office subnet. It contains:
ALL : 192.168.1.
sshd-keygen-wrapper,sshd : office IP prefix
Attempting to connect to ssh from any other location results in the Mac dropping the TCP connection before the ssh daemon even gets a chance to find out what the user ID is.

No comments: