Date: Mon, 10 Sep 2001 17:43:07 -0400 (EDT) From: Jim Sander <jim@federation.addy.com> Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <Pine.BSF.4.10.10109101626580.52847-100000@federation.addy.com> In-Reply-To: <20010910200634.J1983@ringworld.oblivion.bg>
next in thread | previous in thread | raw e-mail | index | archive | help
For clarity, do you mean the following? 1) Change system-wide sshd.conf to "RSAAuthentication yes" 2) Create ~/.ssh/config for all users with "RSAAuthentication no" 3) Allow "special" users to change this file. Assuming that works- it's close to what I want. I don't see anything in the docs about per-user overrides of the config, although I don't see why it wouldn't let you put *more* retrictions on. I'm sure it wouldn't let you say, turn on RSAAuth if the system-wide conf doesn't allow it- if it does, that's a bug I think. But as I said, don't see any docs on this... Unfortunately, with this method I'd have to create thousands of files- and the vast majority of them won't ever get used. Disks are cheap, but it still this rubs me the wrong way. I'd prefer a more elegant solution, especially since it still lets *any* user potentially use RSAAuth, not just the ones I decide to allow. -=Jim=- On Mon, 10 Sep 2001, Peter Pentchev wrote: > On Mon, Sep 10, 2001 at 12:53:35PM -0400, Jim Sander wrote: > > By default, I bar key-based logins (RSAAuthentication no) so that I > > don't have to worry about users keeping their ~/.ssh/authorized_keys > > secure. (expecting good key management of people who if left on their own > > would choose 'me' as their password is probably a bad idea) For most > > people who never touch a shell anyway, this is fine. But I do want to > > allow certain users who at least marginally know what their doing the > > benefit of using this feature. > > > > Anyone know a simple and effective way to do this? > > Create a ~/.ssh/config file, put 'RSAAuthentication yes' there. > I don't think it's possible to do this on a group basis, you'll have > to do it for each user. > > Of course, this also means that each of the other users may put this > in their own ~/.ssh/config file, and circumvent your attempt to disable > key-based logins; however, from your description (and some personal > experience) I would consider that to be somewhat unlikely :) > > G'luck, > Peter > > -- > If wishes were fishes, the antecedent of this conditional would be true. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10109101626580.52847-100000>