secure ssh set up on edubuntu

Gavin McCullagh gmccullagh at gmail.com
Tue Oct 3 09:08:05 UTC 2006 

On Tue, 03 Oct 2006, Corey Burger wrote:

> This certainly looks interesting. Can you create a spec and propose it
> for the next developer summit? Your writeup looks fairly complete,
> from a casual glance.

A proposal is outlined below.

Gavin

----------------------------------------------------------------------
DedicatedLTSPSSH

Packages affected:
    * ltsp-server (possibly openssh-server)


--Summary--

In order to improve securability of ssh, Edubuntu by default should set up
two sshd instances, one dedicated to LTSP and one standard instance for
other access.  These instances might either bind to different tcp ports (eg
22 & 10022) or different IPs  -- the latter requiring the server to have
two ip addresses.  The standard sshd could be disabled by default or have
restricted access.

--Rationale--

Random ssh dictionary attacks are very common on the net.  If the existing
ssh setup is exposed to the net (eg for remote admin), all of the accounts
are exposed to this.  Accounts with weak passwords are at risk of being
compromised.  The risk of directed attacks (eg a student compromising a
teacher's account) is also heightened.

Currently the only protection is use of TCP wrappers.  All users must be
accepted with simple password authentication for ltsp logins to work.  With
a second sshd instance, ssh facilities like AllowUsers, AllowGroups and
unsetting PasswordAuthentication can be used (even by default) to restrict
remote ssh access.


--Use Cases--

A school with a consultant, parent, etc. administering their server
remotely.  A school who does not have their net access firewalled.


--Design--

-Server-
  - The server runs a second sshd instance off the existing ssh binary.
    This is bound either to a different IP or a different TCP port.

-Client-
  - The client needs to connect to the server on port XXX instead of port
    22.  

--Implementation--
  - A second ssh service must be created with its own init script,
    sshd_config and pid file.  These files would be included in the
    ltsp-server package.
      /etc/ltsp/ltsp-sshd_config
      /etc/default/ltsp-ssh
      /etc/init.d/ltsp-ssh
      /var/run/ltsp-ssh
  - ltsp-sshd_config is a copy of the usual sshd_config except that either
    the "Port 22" line must changed or a ListenAddress must be added.  In
    the latter case a ListenAddress must also be added to the standard
    sshd_config.  Also a line the following line is added.  
      PidFile /var/run/ltsp-sshd.pid
  - /etc/default/ltsp-ssh contains the line:
      SSHD_OPTS="-f /etc/ltsp/ltsp-sshd_config"
  - /opt/ltsp/i386/usr/sbin/ldm is changed to add the port number to
    ssh_opts
  - If possible, the standard sshd is either
      * disabled by default
      * restricted to the admin group by default
    If possible, ltsp-sshd should be restricted to local network access
    only using
      * AllowUsers *@192.168.0.0/24  (or whatever the local net is)
      * tcpwrappers?
      * iptables?

--Ideas--
  - Can tcp wrappers control the two instances separately, eg 
        sshd: ALL
        ltsp-sshd: 192.168.0.0/24
    does this need a recompile or rename of the sshd binary?


----------------------------------------------------------------------

More information about the edubuntu-devel mailing list