From owner-freebsd-questions@FreeBSD.ORG Fri Jan 8 15:56:59 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97A641065693 for ; Fri, 8 Jan 2010 15:56:59 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id DD83C8FC25 for ; Fri, 8 Jan 2010 15:56:58 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id o08FurWE063289 for ; Fri, 8 Jan 2010 15:56:54 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o08FurWE063289 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1262966214; bh=UgSSwFErDEOU/QeZsFwXXfCuCWVfp4RUC2QSgnd5Q+A=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B4755BF.6050707@infracaninophile.co.uk>|Date:=20F ri,=2008=20Jan=202010=2015:56:47=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20091129)|MIME-Vers ion:=201.0|To:=20User=20questions=20|Subject:=20Re:=20Accessing=20Computer|References:=20=09<20100108081228.791ffcbf.wmor an@potentialtech.com>=20|In-Reply-To:=20 |X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/signed=3B= 20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signa ture"=3B=0D=0A=20boundary=3D"------------enig71CB42B9BC6B327EE81A3 A6E"; b=sZE8gXCOwqlXVpHmqlhwJ5tPnEi65JVLho4Z/QrKpeuAhdY7GRHNV9PPH5y9+Xm8x 1Zn2hHFTzE1IQzYVyVSA22UPnOGtya3G+fjzksOb1uYl9s32Xb6an3EyXcKd/Djase Ml4ymgJqVn5mVM+bPbK20KzRJWYly7fLs5InuZxw= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B4755BF.6050707@infracaninophile.co.uk> Date: Fri, 08 Jan 2010 15:56:47 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20091129) MIME-Version: 1.0 To: User questions References: <20100108081228.791ffcbf.wmoran@potentialtech.com> In-Reply-To: X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig71CB42B9BC6B327EE81A3A6E" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Subject: Re: Accessing Computer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 15:56:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig71CB42B9BC6B327EE81A3A6E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Carmel wrote: > On Fri, 8 Jan 2010 08:12:28 -0500 Bill Moran = articulated: >=20 >> In response to Carmel : >> >>> Assume three computers. >>> >>> Computer 1 runs Windows with Putty installed >>> Computer 2 & 3 run FreeBSD >>> >>> Computer 1 runs Putty and creates a key that is installed on computer= 2. >>> Computer 2 has a key that is installed on computer 3. >>> >>> If someone were to use computer 1 via Putty to access computer 2, wou= ld >>> they then be able to access computer 3? If so, how could I prevent it= >>> from happening? >> You could prevent ssh connections from 2 -> 3 on port 22 via firewall.= >=20 > I am not sure if I am following you correctly. I frequently access > computer 3 from computer 2. If I block port 22 I will have to use > another on, correct? If I do enable another one, what is to prevent a > user on computer 1 from accessing computer 2 and then on to computer 3?= >=20 > What I want to accomplish is making it impossible to access computer 3 > from other than computer 2 and then only if computer two is not being > used as a slave from computer 1, or any other computer for that matter.= In order to do this, you'ld have to have a private key stored on Computer= 2. Unfortunately, if you or anyone authorised to use that key pair logs into= Computer 2 they can then use that key to ssh into Computer 3 irrespective= of whether they logged in over the network, or on Computer 2's console. =20 > Probably what I want cannot be implemented; however, I thought I would > ask anyway. I don't think it can. But the big 'if' in my statement above is 'authori= zed to use the private key' -- or in other words they know the passphrase the= re. Just don't tell the user from Computer 1 the passphrase to the key on Com= puter 2 and you will achieve the desired effect. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig71CB42B9BC6B327EE81A3A6E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAktHVcUACgkQ8Mjk52CukIy/RgCeO0a2vZ7es/UrMDmyOLNSryDb dzsAnRQY1KszJfMqr3aIt94hyZraX+a0 =1Ifm -----END PGP SIGNATURE----- --------------enig71CB42B9BC6B327EE81A3A6E--