Date: Mon, 10 Sep 2001 19:47:12 +0100 From: Adam Laurie <adam@algroup.co.uk> To: David Kirchner <davidk@accretivetg.com> Cc: David Taylor <davidt@yadt.co.uk>, Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <3B9D0AB0.96DB5AA@algroup.co.uk> References: <20010910101420.W85958-100000@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
David Kirchner wrote:
>
> On Mon, 10 Sep 2001, David Taylor wrote:
>
> > Easy enough
> >
> > # mkdir ~user/.ssh
> > # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc}
> > # chown root:usersprivategroup ~user/.ssh
> > # chmod 750 ~user/.ssh
> > # chown user:usersprivategroup ~user/.ssh/*
> > # chmod 640 ~user/.ssh/*
> > # chown root:usersprivategroup ~user/.ssh/authorized_keys
> >
> > SSH even seems happy to have a root-owned authorized_keys file...
>
> And then chflags schg .ssh so the user can't rename and re-create the .ssh
> directory.
indeed... that'll be the important bit! however, i'd still rather just
get notified of an important security change by my regular security
checking script than have to enforce policies that may not be
appropriate for all users/machines.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B9D0AB0.96DB5AA>