From owner-freebsd-security  Mon Apr 12  8:50: 2 1999
Delivered-To: freebsd-security@freebsd.org
Received: from dazed.slacker.com (dazed.slacker.com [208.15.208.76])
	by hub.freebsd.org (Postfix) with SMTP id E3BCA14ECC
	for <freebsd-security@freebsd.org>; Mon, 12 Apr 1999 08:49:49 -0700 (PDT)
	(envelope-from fbsdlist@dazed.slacker.com)
Received: (qmail 62709 invoked by uid 1012); 12 Apr 1999 15:47:29 -0000
Date: Mon, 12 Apr 1999 10:47:29 -0500
From: David McNett <nugget@slacker.com>
To: freebsd-security@freebsd.org
Subject: Re: ssh and scp
Message-ID: <19990412104729.A62365@dazed.slacker.com>
References: <199904080936.TAA11475@atdot.dotat.org> <Pine.BSF.3.96.990409100127.23278B-100000@zerlargal.humbug.org.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95i
In-Reply-To: <Pine.BSF.3.96.990409100127.23278B-100000@zerlargal.humbug.org.au>; from Bruce Campbell on Fri, Apr 09, 1999 at 10:26:24AM +1000
X-Operating-System: FreeBSD 3.1-STABLE i386
X-Distributed: Join the Effort!  http://www.distributed.net
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 09-Apr-1999, Bruce Campbell wrote:
> Works for me, although I'll admit to being a bit shy of null-password RSA
> keys, which can be alleviated somewhat by restricting which hosts can use
> which keys.

Actually the level of restriction can be much more granular than simply
permitting and denying on a host-by-host basis.  The sshd manpage has
considerable detail on this under the subheading AUTHORIZED_KEYS FILE FORMAT.

In addition to specifying valid remote hosts on a key basis, one can also 
restricte a keypair to a single command with the "command=" directive.

In this way you can prohibit the null-passphrase RSA key to a single task
and not worry about an open shell if the keypair is compromised.

While any null-passphrase situation is by definition an open door, you can
at least limit the scope of the activity that compromise permits.

   from="trust.slacker.com" no-pty no-agent-forwarding no-X11-forwarding
   no-port-forwarding command="/home/luser/bin/only_this_command" 1024 35
   1385747740706965662979092265453243173821775069593500592656102528164588
   1458968562818828612328348480183921191882598263470247545000152074356254
   7885213846674971276953111134546999143676911041828605560207201262339416
   9160927998516632223127781986085086932733750776793503721007278947326141
   39818692207780079452547982359 null passphrase key



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message