From owner-freebsd-security  Thu Dec 13  8:59:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from shikima.mine.nu (pc1-card4-0-cust77.cdf.cable.ntl.com [62.252.49.77])
	by hub.freebsd.org (Postfix) with ESMTP id D879F37B405
	for <security@freebsd.org>; Thu, 13 Dec 2001 08:59:12 -0800 (PST)
Received: from rasputin by shikima.mine.nu with local (Exim 3.33 #1)
	id 16EZEP-0009TF-00; Thu, 13 Dec 2001 17:01:13 +0000
Date: Thu, 13 Dec 2001 17:01:13 +0000
From: Rasputin <rasputin@submonkey.net>
To: Rob Andrews <rob@cyberpunkz.org>
Cc: security@freebsd.org
Subject: Re: Question about sshd...
Message-ID: <20011213170113.A36344@shikima.mine.nu>
Reply-To: Rasputin <rasputin@submonkey.net>
References: <20011213102109.A18375@switchblade.cyberpunkz.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20011213102109.A18375@switchblade.cyberpunkz.org>; from rob@cyberpunkz.org on Thu, Dec 13, 2001 at 10:21:09AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

* Rob Andrews <rob@cyberpunkz.org> [011213 16:28]:
> I am wondering if there is a way or if there has been consideration
> of a way to impliment login permissions based upon user authentication
> via sshd (openssh 3.0.2)
> 
> The reason I am asking is because I want to force all staff members to
> login through the system based upon their generated keypairs such as a
> RSA or DSA keypair.  Users since they have very limited access I am not
> as worried about an account compromise.  But if a staff users account
> on a machine is compromised then I at least want someone to have to have
> worked for it to even get logged into the system.
> 
> I'd heard talk from someone else that they were interested in patching
> opensshd to do just this.  so you could create a rule in the config
> for an allowed user and say a 'without-password' option such as there
> is allowed for root.

Is there a reason you can't use the usual
RSA authentication methods for this?
That doesn't rely on system passwords, just the private keyfile.

-- 
Rasputin :: Jack of All Trades - Master of Nuns ::

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message