From owner-freebsd-security  Wed Jan 26 11:37:46 2000
Delivered-To: freebsd-security@freebsd.org
Received: from testbed.baileylink.net (testbed.baileylink.net [63.71.213.24])
	by hub.freebsd.org (Postfix) with ESMTP id 1838214C9B
	for <security@freebsd.org>; Wed, 26 Jan 2000 11:37:44 -0800 (PST)
	(envelope-from brad@testbed.baileylink.net)
Received: (from brad@localhost)
	by testbed.baileylink.net (8.9.3/8.9.3) id NAA12204;
	Wed, 26 Jan 2000 13:37:44 -0600 (CST)
	(envelope-from brad)
Date: Wed, 26 Jan 2000 13:37:44 -0600
From: Brad Guillory <round@baileylink.net>
To: Todd Backman <todd@flyingcroc.net>
Cc: security@freebsd.org
Subject: Re: root authorized_keys ignore?
Message-ID: <20000126133744.D86303@baileylink.net>
References: <Pine.BSF.4.10.10001261111260.58696-100000@security1.noc.flyingcroc.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.BSF.4.10.10001261111260.58696-100000@security1.noc.flyingcroc.net>; from todd@flyingcroc.net on Wed, Jan 26, 2000 at 11:18:53AM -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello Todd,
I probably don't have the answer that you want but I figured that
I would ramble on a bit:

If this were a configurable option it would not gain you much.
Anyone that would have root write permissions can change the
configuration file.  I would suggest that you make a ~root/.ssh
directory and associated files and mark them and the directory
all immutable.  This would afford you just as much protection,
even more so if you ran at secure level where root user can not
change these flags.

Hope that this stirs some thoughts, BMG


On Wed, Jan 26, 2000 at 11:18:53AM -0800, Todd Backman wrote:
> 
> Greetings.
> 
> I have checked the man pages for both ssh and sshd as well as cheking the
> archives and cannot answer this question:
> 
> Is there any way to get sshd to ignore root's authorized_keys? (disallow
> the practice of putting the private key on another sever to allow for
> passwordless entry)
> 
> I would still like to allow this on our servers for non-root accts but *DO
> NOT* want to allow it for root...
> 
> Any hits with the clue bat?
> 
> Thanks.
> 
> - Todd
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message