Date: Mon, 10 Sep 2001 16:24:45 -0400 (EDT) From: Jim Sander <jim@federation.addy.com> Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <Pine.BSF.4.10.10109101515250.52847-100000@federation.addy.com> In-Reply-To: <20010910180239.B59628@area51.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
> I assume you mean ~/.ssh/identity on the client side? I meant what I said- `man sshd` ... "$HOME/.ssh/authorized_keys Lists the RSA keys that can be used to log into the user's account." > If it's your server, you can enforce rules on authorized_keys. As was demonstrated in other posts, enforcing "rules" via file-system tricks isn't going to work, or it will end up being more work than allowing "unlimited" RSA Auth. If I set it up so they can't modify the file, it defeats the purpose of having it. Let's not even re-re-start the debate about /etc/periodic monitoring ~/.ssh/authorized_keys... An option not mentioned is that I could also run one sshd per user- but that wouldn't be very good for me either, although more do-able than schg files and such. > I'm somewhat puzzled The reason I don't allow RSAAuthentication is that I envision this near certainty: a user will know enough to set up authentication from his personal machine, but won't adequately guard the private key file from the hypothetical latest Outlook flaw allowing his key to be sent to a script kiddie and then used to change his church's web site on my server into a porn warehouse. I can handle explaining "don't give your password away" and even "choose something better than Jesus1" - but explaining that he needs to periodically monitor a non-human-readable file in a "hidden" folder on the server is beyond my ability, let alone my desire. Yet, for certain people who have demonstrated their minimal competence, I want to say "I've set you up to use RSAAuth- make sure you keep an eye on your key files." They'll be capable of doing some way-cool stuff to make their lives immeasurably easier, and we'll all be happy. If this person blows it, I can say "you said you knew what you were doing." > You would need to take a look at login.conf to specify individual > authentication methods on a per user basis. I am not clear on how well this > is supported yet. Checked login.conf, and pam.conf too- which I think may be a more likely candidate for this sort of thing, maybe? (won't claim to be expert here- and both seem to apply in many ways) I remember reading something about using login.conf classes in pam.conf, but can't remember where or when- it might have been a delusion. :) Apparently the amount of support is "not at all" at least in RELENG_4, as far as I can see. I can see this being a potentially cool feature to put into either config, but it doesn't look like it's there now. Or maybe the feature is there and the documentation isn't? (or I overlooked it) Perhaps I should consider this a worthy first task for my contribution to FreeBSD. <doh!> (honestly, I don't think I'm yet qualified to do that reliably, and it's not important enough for me to become so just now) Any pointers would be appreciated though. -=Jim=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10109101515250.52847-100000>