secure ssh set up on edubuntu

Gavin McCullagh gmccullagh at gmail.com
Sat Sep 30 14:14:07 UTC 2006 

Hi,

I'm quite certain this is too late for edgy, but it might be worth looking
at afterward.

Executive summary:  In order to ease security of ssh, could Edubuntu by
default set up two sshd instances, one dedicated to LTSP running on tcp
port 10022 (or whatever) with its own init script "ltsp-ssh" and another
optional one running on port 22 "ssh".  These should have separate config
files (ltsp-sshd_config, sshd_config), allowing them to be given different
authentication rules, etc.  LTSP requires a very open sshd setup which is
not very suitable for exposing to the net.

==Long winded version==

I currently run an ssh server with thin clients in Dublin, Ireland.
Broadly, it's been great so far (only small issue has been with cups).  The
Irish government has paid for a schools WAN over broadband which includes
content filtering.  This relieves us of much technical responsiblity, which
is great.

In order to get remote access, we have tcp port 22 open.  However, that
means every user (teacher, student, etc.) can login from the 'net.  If a
student has a weak password, that is exposed to brute forcing.  Neither of
these are desirable.  We also cannot require key-based authentication as
that would break ssh.

Remote break-in attempts are quite common on ssh these days.  If someone
creates an account called test with password test, that machine stands a
good chance of being compromised within a week or so.

My solution has been to give the machine two IP addresses and two sshd
instances, one listening on each address.  This allows me to more strictly
secure the sshd available to the net.  Rather than have two ips (we have
our reasons) it would seem more sensible to use two different ports in
Edubuntu.  Firewalls can be configured to block 

The LTSP package could require ssh-server (I presume it already does) and
include the extra required files:

	/etc/ssh/ltsp-sshd_config
	/etc/init.d/ltsp-ssh
	/etc/rc2.d/S20ltsp-ssh

Then the regular sshd could be independently enabled/disabled and secured.
Ideally, it would be great to add a TCP wrapper entry blocking access to
the ltsp-sshd from outside the local network, but I'm not sure if that can
be done without a second recompiled sshd binary.

Any thoughts?
Gavin

More information about the edubuntu-devel mailing list