Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 25 Sep 1998 21:01:29 +0100
From:      Brian Somers <brian@Awfulhak.org>
To:        dag-erli@ifi.uio.no (Dag-Erling C. Sm rgrav )
Cc:        Brian Somers <brian@Awfulhak.org>, Mark Murray <mark@grondar.za>, Nik Clayton <nik@nothing-going-on.demon.co.uk>, committers@FreeBSD.ORG
Subject:   Re: Security and other facilities at WC CDROM - the plan. 
Message-ID:  <199809252001.VAA03478@woof.lan.awfulhak.org>
In-Reply-To: Your message of "25 Sep 1998 11:52:58 %2B0200." <xzpaf3objt1.fsf@hrotti.ifi.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Brian Somers <brian@Awfulhak.org> writes:
> > If you do stuff from libalias'd machines, you must make your host key 
> > on all machines behind the alias'er the same as the alias'ers and add 
> > whatever *.freebsd.org sees as being the connecting machine to your 
> > .shosts file.
> 
> Don't use .shosts, use key authentication. Although your key includes
> a host name, ssh doesn't actually care if it's the one you're calling
> from or not, so you can generate a key on one machine and carry it
> around to others. Very useful if your home directory is shared between
> several machines.

?

I'm not sure what you mean.  Using .shosts is impossible without key 
authentication isn't it ?  It would be the same as .rhosts otherwise.

Having a host in your known_hosts and .shosts file just allows 
automatic key authentication (no password required).  Making the same 
connection from an IP that's not in known_hosts and .shosts is still 
ok, but requires your pass phrase or password at login time.

Am I missing something ?

Hmmm, maybe I am.  Thinking about it, it would make sense if .shosts 
specified what machine/ip you can use known_hosts with,  and 
known_hosts specifies what that host key should be.  If this is the 
case, then a separate key can be used even for hosts behind an 
aliased gateway, as long as the gateway is in the .shosts file and 
the connecting machine is in known_hosts.

Hmm, I'll do a bit of mucking around at some point and figure this 
out ;-)  Thanks for the food for thought.

> DES
> -- 
> Dag-Erling Smørgrav - dag-erli@ifi.uio.no
> 

-- 
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
      <http://www.Awfulhak.org>;
Don't _EVER_ lose your sense of humour....

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809252001.VAA03478>