two security related questions
 

My first question should be relatively simple. How much of a difference would it make and how much easier would it be to implement having a user ssh. The user would be the only one that can start an ssh session and would have access to just about nothing. the user would then have to su into his own account.


my other, and perhaps more complicated question deals with ipcop. Is it possible to make an ipcop box act like a switch isntead of a router? Or if not, can someone explain to me how it could route and still allow me to ssh into my machines? I'm on a campus network and i was planning next year to have a few boxes and an ipcop firewall. trouble is, how would they get ips from the campus dhcp with ipcop as a router? I hope that makes sense somewhat.

Now that I think of it. . . (okay three questions) would it be a good idea to have something of a gateway box? I.e. I can remote into this machine from anywhere (currently i have it set up so i can only remote into my machines from within the campus network, a class B) and then from this machine i can ssh or vnc into one of my computers. my other computers would be set up to allow remote connections from only this one machine.


Thanks in advance for any answers you might have.
-Matt

ssh with public keys
 

I use something like your scenario in 3 and it works fine. I have a "sensitive" box that only allows ssh on a non standard port with keys and firewalled to a specific IP. I got a cool ssh client for my blackberry but did not want to open the firewall. So it made sense to ssh into the machine at the ip allowed by the firewall and then connect to the sensitive machine.

I don't know about ipcop but as far as hitting different machines behind a single ip. I just use different ports for different machines and then port forward accordingly. Ssh sometimes freaks out thinking "men are in the middle" but that's bearable.

HTH

yeah, that would work fine... just disable root access in your ssd_config and also set it so that only user "ssh" is allowed to login via ssh... BTW, you might wanna use a differnt username to lessen the chances of getting cracked... maybe something like "ssh4me" or something...

you don't need to have it work like a switch... it's fine as a router... you just need to forward some ports to your LAN boxes... for example let's say you had three LAN boxes: 192.168.100.101, 192.168.100.102, and 192.168.100.103... so you could forward one port on the router's WAN interface side to each of your internal boxes... for example you could forward port 100101 to 192.168.100.101:22, 100102 to 192.168.100.102:22, etc... etc... etc...

as for the campus DHCP server: your LAN doesn't really need that... basically only the WAN side of your router would need to use the campus DHCP server, as your LAN boxes would optimally get their IPs from your own DHCP server, which could be running on your router's LAN side - assigning internal IPs...

yes, instead of forwarding packets to your LAN boxes, you could instead SSH into your router and then from there SSH to your LAN boxes... have a look at my signature... :)