From owner-freebsd-security Mon Sep 10 10: 2:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203]) by hub.freebsd.org (Postfix) with SMTP id 767E737B406 for ; Mon, 10 Sep 2001 10:02:20 -0700 (PDT) Received: (qmail 61875 invoked by uid 1007); 10 Sep 2001 17:02:39 -0000 Date: Mon, 10 Sep 2001 18:02:39 +0100 From: Alex Holst To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910180239.B59628@area51.dk> Mail-Followup-To: Alex Holst , Freebsd-security@FreeBSD.ORG References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jim@federation.addy.com on Mon, Sep 10, 2001 at 12:53:35PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Jim Sander (jim@federation.addy.com): > By default, I bar key-based logins (RSAAuthentication no) so that I > don't have to worry about users keeping their ~/.ssh/authorized_keys > secure. I assume you mean ~/.ssh/identity on the client side? If it's your server, you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys are significantly stronger plain passwords. What do you use for authentication? SecurID? CryptoCard? You would need to take a look at login.conf to specify individual authentication methods on a per user basis. I am not clear on how well this is supported yet. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message