Date: Mon, 10 Sep 2001 18:15:27 +0100 From: Alex Holst <a@area51.dk> To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910181527.C59628@area51.dk> In-Reply-To: <3B9CF42B.FDBF942A@algroup.co.uk>; from adam@algroup.co.uk on Mon, Sep 10, 2001 at 06:11:07PM %2B0100 References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Adam Laurie (adam@algroup.co.uk): > Alex Holst wrote: > > I assume you mean ~/.ssh/identity on the client side? If it's your server, > > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys > > are significantly stronger plain passwords. What do you use for > > authentication? SecurID? CryptoCard? > > speaking of which, shouldn't the daily/weekly/monthly security checks > notify if authorized_keys has changed in the same way that it does for a > change of password? No, a user should be free to change and add keys as they see fit. The sshd already implements access control if there is a chance authorized_keys has been tampered with. If you really want to verify all changes to users authorized_keys file, change the ownership so users can't modify the file but still read it. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010910181527.C59628>