From owner-freebsd-security Thu Dec 13 8:21:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from switchblade.cyberpunkz.org (switchblade.cyberpunkz.org [198.174.169.125]) by hub.freebsd.org (Postfix) with ESMTP id 47E2837B416 for ; Thu, 13 Dec 2001 08:21:15 -0800 (PST) Received: from switchblade.cyberpunkz.org (rob@localhost.cyberpunkz.org [127.0.0.1]) by switchblade.cyberpunkz.org (8.12.1/CpA-TLS-1.2.12-1) with ESMTP id fBDGL996018973 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Thu, 13 Dec 2001 10:21:10 -0600 (CST)?g (envelope-from rob@switchblade.cyberpunkz.org)œ Posted-Date: Thu, 13 Dec 2001 10:21:10 -0600 (CST) Abuse-Contact: abuse@cyberpunkz.org Received: (from rob@localhost) by switchblade.cyberpunkz.org (8.12.1/8.12.1/Submit) id fBDGL9Gw018972 for freebsd-security@freebsd.org; Thu, 13 Dec 2001 10:21:09 -0600 (CST)?g (envelope-from rob) Date: Thu, 13 Dec 2001 10:21:09 -0600 From: Rob Andrews To: freebsd-security@freebsd.org Subject: Question about sshd... Message-ID: <20011213102109.A18375@switchblade.cyberpunkz.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I am wondering if there is a way or if there has been consideration of a way to impliment login permissions based upon user authentication via sshd (openssh 3.0.2) The reason I am asking is because I want to force all staff members to login through the system based upon their generated keypairs such as a RSA or DSA keypair. Users since they have very limited access I am not as worried about an account compromise. But if a staff users account on a machine is compromised then I at least want someone to have to have worked for it to even get logged into the system. I'd heard talk from someone else that they were interested in patching opensshd to do just this. so you could create a rule in the config for an allowed user and say a 'without-password' option such as there is allowed for root. Any ideas? :) Thanks, --=20 ::::::::::::=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D------------= --------- :|Robert Andrews :|Cyberpunk Alliance http://www.cyberpunkz.org :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 :::::::::::::::::::::::::::=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D------------------------- --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8GNVvAXwJ9YLqJJURAgd0AJ9cGibreJHVlh3y/LTnufhhmaElpQCeNvIS L6x5MbemIgngkuWp26OGgKA= =weup -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message