From owner-cvs-all Fri Sep 25 13:13:35 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA02961 for cvs-all-outgoing; Fri, 25 Sep 1998 13:13:35 -0700 (PDT) (envelope-from owner-cvs-all) Received: from awfulhak.org (awfulhak.force9.co.uk [195.166.136.63]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA02948 for ; Fri, 25 Sep 1998 13:13:21 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from woof.lan.awfulhak.org (root@woof.lan.awfulhak.org [172.16.0.7]) by awfulhak.org (8.8.8/8.8.8) with ESMTP id VAA02287; Fri, 25 Sep 1998 21:02:55 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from woof.lan.awfulhak.org (brian@localhost [127.0.0.1]) by woof.lan.awfulhak.org (8.9.1/8.9.1) with ESMTP id VAA03478; Fri, 25 Sep 1998 21:01:29 +0100 (BST) (envelope-from brian@woof.lan.awfulhak.org) Message-Id: <199809252001.VAA03478@woof.lan.awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: dag-erli@ifi.uio.no (Dag-Erling C. Sm rgrav ) cc: Brian Somers , Mark Murray , Nik Clayton , committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. In-reply-to: Your message of "25 Sep 1998 11:52:58 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Date: Fri, 25 Sep 1998 21:01:29 +0100 From: Brian Somers Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id NAB02956 Sender: owner-cvs-all@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Brian Somers writes: > > If you do stuff from libalias'd machines, you must make your host key > > on all machines behind the alias'er the same as the alias'ers and add > > whatever *.freebsd.org sees as being the connecting machine to your > > .shosts file. > > Don't use .shosts, use key authentication. Although your key includes > a host name, ssh doesn't actually care if it's the one you're calling > from or not, so you can generate a key on one machine and carry it > around to others. Very useful if your home directory is shared between > several machines. ? I'm not sure what you mean. Using .shosts is impossible without key authentication isn't it ? It would be the same as .rhosts otherwise. Having a host in your known_hosts and .shosts file just allows automatic key authentication (no password required). Making the same connection from an IP that's not in known_hosts and .shosts is still ok, but requires your pass phrase or password at login time. Am I missing something ? Hmmm, maybe I am. Thinking about it, it would make sense if .shosts specified what machine/ip you can use known_hosts with, and known_hosts specifies what that host key should be. If this is the case, then a separate key can be used even for hosts behind an aliased gateway, as long as the gateway is in the .shosts file and the connecting machine is in known_hosts. Hmm, I'll do a bit of mucking around at some point and figure this out ;-) Thanks for the food for thought. > DES > -- > Dag-Erling Smørgrav - dag-erli@ifi.uio.no > -- Brian , , Don't _EVER_ lose your sense of humour....