On 10-09-2004 at 08:47:15AM -0600, Price, Christopher wrote:
PC>
PC> Hi;
PC>
PC> I am looking for some ideas on howto lock down ssh for a large
PC> deployment of unix hosts. Specifically, I would like to be able to tell the
PC> ssh cli program to ignore individual users .ssh/ssh_config files and only
PC> reference the global ssh_config file, (eg: /usr/local/etc/ssh_config). Most
PC> of my users home directories are mounted via automounter from a central
PC> location.
PC>
PC> I am also looking for a way in which to have ssh only reference a
PC> global known_hosts file (eg: /usr/local/etc/known_hosts) and completely
PC> ignore individual users .ssh/known_hosts entries. Effectively what I want is
PC> a centrally managed and distributed known_hosts file to be used in
PC> conjunction with StrictHostKeyChecking to not allow ssh connections from
PC> hosts not listed in the global known_hosts file. The global known_hosts file
PC> would be a read-only file for everyone but administrators. The use of
PC> StrictHostKeyChecking ties into my desire to ignore users ssh_config files
PC> and rely only on the global file - I don't want users to be able to override
PC> StrictHostKeyChecking. VerifyHostKeyDNS has a great deal of appeal, but a
PC> number of my clients (Sun SSH for example) do not yet support this option.
PC> Also I have some issues with getting a recent bind deployment in place to
PC> support SSHFP keys.
PC>
Use XFS filesystem with acl.
You can use filesystems other than XFS (such as ext3/reiserfs), but you need to
add the VFS-Lock patch to your kernel (it's found within the LVM source
tarball).
Best regards,
Bartek.
--
If You want to verify authentication of my e-mail visit: www.bmk.bicom.pl
to get from there my public key.
pgpVQh3G43zn8.pgp
Description: PGP signature
