Date: Thu, 1 Jul 1999 16:37:55 -0400 (EDT) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: rsowders@usgs.gov (Robert Sowders) Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: SSH Working Like rsh Message-ID: <199907012037.QAA19191@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <s77ad111.077@usgs.gov> from Robert Sowders at "Jul 1, 99 02:22:41 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Sowders wrote, [snip some good step-by-step directions, but directrions for stuff I presonally had already figured out.] > If you would like to do password less logins with > RSA passphrase then you will need to do the > following. Be aware that the scary statements > about null passphrased private key are there for a > good reason. If someone can steal your key or copy > it then they will have root on the receiving machine > with no questions asked, but to do this from any > machine other than the one they stole it from is very > difficult and again they would have to have a toehold > on your machine to start with. > So Caveot Emptor. OK, I guess this is what I was really after. First, is RSA-based host authentification not better than old-fashioned rhosts authentification? Isn't it better to use this, even if I am going to have to go with null-passphrases, than to use rhost authentification within SSH (or gods forbid, using the actual rsh suite). Hmmm... Now that I think about it, there really is no reason for root to be able to ssh in from any other machine but that one (I typically ssh in with a mortal user and su to root when being interactive). Hmmm... How does an individual user tell the sshd configuration which hosts to allow access to this account? The ~/.ssh/authroized_keys lets people in, but it does not necesarily turn people away. I would like to be able to restrict what hosts can access root, but not put any restrictions on certain other users. If that is possible, it seems using the null-passphrase would not be much of a risk (if it even is in the first place). Thanks a lot for the very complete reply. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907012037.QAA19191>