From owner-freebsd-security  Mon Sep 10 10: 9: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (sentinel.office1.bg [217.75.135.254])
	by hub.freebsd.org (Postfix) with SMTP id 6492A37B401
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 10:08:38 -0700 (PDT)
Received: (qmail 5220 invoked by uid 1000); 10 Sep 2001 17:06:34 -0000
Date: Mon, 10 Sep 2001 20:06:34 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Jim Sander <jim@federation.addy.com>
Cc: Freebsd-security@FreeBSD.ORG
Subject: Re: allow selective RSA AUTH in sshd setup?
Message-ID: <20010910200634.J1983@ringworld.oblivion.bg>
Mail-Followup-To: Jim Sander <jim@federation.addy.com>,
	Freebsd-security@FreeBSD.ORG
References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com>; from jim@federation.addy.com on Mon, Sep 10, 2001 at 12:53:35PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, Sep 10, 2001 at 12:53:35PM -0400, Jim Sander wrote:
>    By default, I bar key-based logins (RSAAuthentication no) so that I
> don't have to worry about users keeping their ~/.ssh/authorized_keys
> secure. (expecting good key management of people who if left on their own
> would choose 'me' as their password is probably a bad idea) For most
> people who never touch a shell anyway, this is fine. But I do want to
> allow certain users who at least marginally know what their doing the
> benefit of using this feature.
> 
>    Anyone know a simple and effective way to do this?

Create a ~/.ssh/config file, put 'RSAAuthentication yes' there.
I don't think it's possible to do this on a group basis, you'll have
to do it for each user.

Of course, this also means that each of the other users may put this
in their own ~/.ssh/config file, and circumvent your attempt to disable
key-based logins; however, from your description (and some personal
experience) I would consider that to be somewhat unlikely :)

G'luck,
Peter

-- 
If wishes were fishes, the antecedent of this conditional would be true.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message