From owner-freebsd-security  Thu Jul  1 13:36:51 1999
Delivered-To: freebsd-security@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP
	id 53D4214E2A; Thu,  1 Jul 1999 13:36:47 -0700 (PDT)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.8.8) id QAA19191;
	Thu, 1 Jul 1999 16:37:55 -0400 (EDT)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199907012037.QAA19191@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: SSH Working Like rsh
In-Reply-To: <s77ad111.077@usgs.gov> from Robert Sowders at "Jul 1, 99 02:22:41 am"
To: rsowders@usgs.gov (Robert Sowders)
Date: Thu, 1 Jul 1999 16:37:55 -0400 (EDT)
Cc: freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Sowders wrote,

[snip some good step-by-step directions, but directrions for stuff I
presonally had already figured out.]

> If you would like to do password less logins with
> RSA passphrase then you will need to do the 
> following.  Be aware that the scary statements
> about null passphrased private key are there for a 
> good reason.  If someone can steal your key or copy 
> it then they will have root on the receiving machine
> with no questions asked, but to do this from any 
> machine other than the one they stole it from is very 
> difficult and again they would have to have a toehold 
> on your machine to start with.
> So Caveot Emptor.

OK, I guess this is what I was really after. First, is RSA-based host
authentification not better than old-fashioned rhosts authentification? 
Isn't it better to use this, even if I am going to have to go with
null-passphrases, than to use rhost authentification within SSH (or
gods forbid, using the actual rsh suite).

Hmmm... Now that I think about it, there really is no reason for root
to be able to ssh in from any other machine but that one (I typically
ssh in with a mortal user and su to root when being
interactive). Hmmm... How does an individual user tell the sshd
configuration which hosts to allow access to this account? The
~/.ssh/authroized_keys lets people in, but it does not necesarily turn
people away. I would like to be able to restrict what hosts can access
root, but not put any restrictions on certain other users. If that is
possible, it seems using the null-passphrase would not be much of a
risk (if it even is in the first place).

Thanks a lot for the very complete reply.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message