From owner-freebsd-security Thu Dec 13 9: 2: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp016.mail.yahoo.com (smtp016.mail.yahoo.com [216.136.174.113]) by hub.freebsd.org (Postfix) with SMTP id 6395837B41E for ; Thu, 13 Dec 2001 09:01:29 -0800 (PST) Received: from unknown (HELO warhawk) (202.1.200.105) by smtp.mail.vip.sc5.yahoo.com with SMTP; 13 Dec 2001 17:01:27 -0000 From: "Haikal Saadh" To: "'Rob Andrews'" , Subject: RE: Question about sshd... Date: Thu, 13 Dec 2001 22:01:19 +0500 Message-ID: <001601c183f7$cc88e950$69c801ca@warhawk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20011213102109.A18375@switchblade.cyberpunkz.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I understood that if you *'red out your staff members password using vipw, and if you generate a keypair for them, they should be able to login via ssh, but not telnet or the local console. > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Rob Andrews > Sent: Thursday, December 13, 2001 9:21 PM > To: freebsd-security@freebsd.org > Subject: Question about sshd... > > > I am wondering if there is a way or if there has been > consideration of a way to impliment login permissions based > upon user authentication via sshd (openssh 3.0.2) > > The reason I am asking is because I want to force all staff > members to login through the system based upon their > generated keypairs such as a RSA or DSA keypair. Users since > they have very limited access I am not as worried about an > account compromise. But if a staff users account on a > machine is compromised then I at least want someone to have > to have worked for it to even get logged into the system. > > I'd heard talk from someone else that they were interested in > patching opensshd to do just this. so you could create a > rule in the config for an allowed user and say a > 'without-password' option such as there is allowed for root. > > Any ideas? :) > Thanks, > > -- > ::::::::::::=================--------------------- > :|Robert Andrews > :|Cyberpunk Alliance http://www.cyberpunkz.org > :|Minneapolis, MN Email: rob@cyberpunkz.org Office: 763-535-6392 > :::::::::::::::::::::::::::====================--------------- > ---------- > > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message