From owner-freebsd-security  Mon Sep 10 10:15:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from C-Tower.Area51.DK (c-tower.area51.dk [62.243.200.203])
	by hub.freebsd.org (Postfix) with SMTP id 156D437B401
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 10:15:08 -0700 (PDT)
Received: (qmail 63204 invoked by uid 1007); 10 Sep 2001 17:15:28 -0000
Date: Mon, 10 Sep 2001 18:15:27 +0100
From: Alex Holst <a@area51.dk>
To: Freebsd-security@FreeBSD.ORG
Subject: Re: allow selective RSA AUTH in sshd setup?
Message-ID: <20010910181527.C59628@area51.dk>
Mail-Followup-To: Alex Holst <a@area51.dk>,
	Freebsd-security@FreeBSD.ORG
References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3B9CF42B.FDBF942A@algroup.co.uk>; from adam@algroup.co.uk on Mon, Sep 10, 2001 at 06:11:07PM +0100
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Quoting Adam Laurie (adam@algroup.co.uk):
> Alex Holst wrote:
> > I assume you mean ~/.ssh/identity on the client side? If it's your server,
> > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys
> > are significantly stronger plain passwords. What do you use for
> > authentication? SecurID? CryptoCard?
> 
> speaking of which, shouldn't the daily/weekly/monthly security checks
> notify if authorized_keys has changed in the same way that it does for a
> change of password?

No, a user should be free to change and add keys as they see fit. The sshd
already implements access control if there is a chance authorized_keys has
been tampered with.

If you really want to verify all changes to users authorized_keys file,
change the ownership so users can't modify the file but still read it.

-- 
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow.                  http://a.area51.dk/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message