From owner-freebsd-questions Thu Nov 8 10:28:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from happy.cow.org (happy.cow.org [198.88.20.7]) by hub.freebsd.org (Postfix) with ESMTP id 8EF3B37B41D for ; Thu, 8 Nov 2001 10:28:53 -0800 (PST) Received: (from ravi@localhost) by happy.cow.org (8.11.4/8.11.3) id fA8ISIv85655; Thu, 8 Nov 2001 13:28:18 -0500 (EST) Date: Thu, 8 Nov 2001 13:28:18 -0500 From: ravi pina To: kjerste soderberg Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ssh auth on floppy Message-ID: <20011108132818.X97368@happy.cow.org> Reply-To: ravi@cow.org References: <20011108175040.22651.qmail@web9703.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011108175040.22651.qmail@web9703.mail.yahoo.com>; from kjerstes@yahoo.com on Thu, Nov 08, 2001 at 09:50:40AM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 08, 2001 at 09:50:40AM -0800, kjerste soderberg said at one point in time: > has anyone done this w/ ssh > > Right now ssh for any user is to ssh in w/ their > usernm & passwd. > > Would like to chg this, in addition to their usernm & > passwd would like to hand an authorized remote user a > floppy w/ some type of a file that is an > auth token or something and then if they want to > connect they'd have to have > this file in the right place in addn to their usernm & > passwd ??? [...] i believe by having the following in your sshd_config: RSAAuthentication yes # applies for version 1 only DSAAuthentication yes # applies for version 2 only PasswordAuthentication no will do something similar to this. each user will need to generate a *SA key on their host and place the public version in $HOME/.ssh/authorized_keys of the remote host. you can have it so that they send the keys to you and you edit that file yourself. you can then have the file owned by root and read only so they cannot manually add any other keys. using this method will disable local password auth, and only permit *SA type auth. while this doesn't give you a 2-level auth scheme, IMHO it is far better than using local password, as well as uses a public/private key structure. -r -- echo "send pgp key" | mail ravi@cow.org "The important thing is not to stop questioning." -- Albert Einstein To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message