On Fri, 11 Jul 2008, Stephen John Smoogen wrote:
On Fri, Jul 11, 2008 at 12:06 AM, Jeroen van Meeuwen
<kanarip(a)kanarip.com> wrote:
> Hi there,
>
> A few thoughts on the OpenSSH standard in development right now;
>
> I'm thinking about including the following topics:
>
> - OpenSSH Server Configuration Standard (partly done)
> - host keys
> - access control (AllowUsers, AllowGroups, etc)
> - ssh gateway in DMZ setup
> - auditing (pam_abl, denyhosts, insert-your-favorite here)
>
> - OpenSSH Client Configuration Standard
> - host client configuration (/etc/ssh/ssh_config)
> - ssh-agent
> - XForwarding
> - tunneling principles
> - ssh-agent forwarding
>
Kerberos is one of the things I found worked really well. getting it
configured was a bit of a pain (especially when the cool kerberos bits
werent in openbsd proper).
I debated whether or not to include auth bits in the standard or not and
for now have left it off. I was hoping to make the standard that would
work with multiple auth mechanisms.
One of the items that we usually had to do was deploy the same
version
of openssh on all our boxes so I would have to compile sshd for
2.1,3,4, etc to make sure that the version was the same and that they
all had the same 'extra' patches in the case of our cluster builds.
Having ssh 'proxy' systems was also interesting. We had to have
control of outgoing connections from some networks (you actually may
not want your financial system computers to have ssh channels where
someone is tunneling out the financials.). That is more into the
security policy items. [And the silly things people will do to get
work done at home when they were told to never take it out the
company.]
Yeah, right now what I've written in the OpenSSH standard is a base
layout. I do have some other questions like whether or not its proper to
track all known host keys. I've never been in an environment that has
done it but that seems like the 'right' way to do it.
-Mike