From owner-freebsd-security  Mon Sep 10 11:47:54 2001
Delivered-To: freebsd-security@freebsd.org
Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13])
	by hub.freebsd.org (Postfix) with ESMTP id D855B37B405
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 11:47:46 -0700 (PDT)
Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252])
	by male.aldigital.co.uk (Postfix) with ESMTP
	id 8DA7B6A1481; Mon, 10 Sep 2001 18:47:45 +0000 (GMT)
Message-ID: <3B9D0AB0.96DB5AA@algroup.co.uk>
Date: Mon, 10 Sep 2001 19:47:12 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: David Kirchner <davidk@accretivetg.com>
Cc: David Taylor <davidt@yadt.co.uk>, Freebsd-security@FreeBSD.ORG
Subject: Re: allow selective RSA AUTH in sshd setup?
References: <20010910101420.W85958-100000@localhost>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

David Kirchner wrote:
> 
> On Mon, 10 Sep 2001, David Taylor wrote:
> 
> > Easy enough
> >
> > # mkdir ~user/.ssh
> > # touch ~user/.ssh/{authorized_keys,config,random,etc,etc,etc}
> > # chown root:usersprivategroup ~user/.ssh
> > # chmod 750 ~user/.ssh
> > # chown user:usersprivategroup ~user/.ssh/*
> > # chmod 640 ~user/.ssh/*
> > # chown root:usersprivategroup ~user/.ssh/authorized_keys
> >
> > SSH even seems happy to have a root-owned authorized_keys file...
> 
> And then chflags schg .ssh so the user can't rename and re-create the .ssh
> directory.

indeed... that'll be the important bit! however, i'd still rather just
get notified of an important security change by my regular security
checking script than have to enforce policies that may not be
appropriate for all users/machines.

cheers,
Adam 
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net
2 Bath Road                   http://www.aldigital.co.uk
London W4 1LT                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message