From owner-freebsd-security  Mon Sep 10 11: 5:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from male.aldigital.co.uk (male.aldigital.co.uk [213.129.64.13])
	by hub.freebsd.org (Postfix) with ESMTP id 1884B37B403
	for <Freebsd-security@FreeBSD.ORG>; Mon, 10 Sep 2001 11:05:12 -0700 (PDT)
Received: from algroup.co.uk (sockittome.aldigital.co.uk [194.128.162.252])
	by male.aldigital.co.uk (Postfix) with ESMTP
	id 645DA6A1411; Mon, 10 Sep 2001 18:05:10 +0000 (GMT)
Message-ID: <3B9D00D0.C522C41A@algroup.co.uk>
Date: Mon, 10 Sep 2001 19:05:04 +0100
From: Adam Laurie <adam@algroup.co.uk>
X-Mailer: Mozilla 4.7 [en-gb] (Win98; I)
X-Accept-Language: en
MIME-Version: 1.0
To: Alex Holst <a@area51.dk>
Cc: Freebsd-security@FreeBSD.ORG
Subject: Re: allow selective RSA AUTH in sshd setup?
References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Alex Holst wrote:
> 
> Quoting Adam Laurie (adam@algroup.co.uk):
> > Alex Holst wrote:
> > > I assume you mean ~/.ssh/identity on the client side? If it's your server,
> > > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys
> > > are significantly stronger plain passwords. What do you use for
> > > authentication? SecurID? CryptoCard?
> >
> > speaking of which, shouldn't the daily/weekly/monthly security checks
> > notify if authorized_keys has changed in the same way that it does for a
> > change of password?
> 
> No, a user should be free to change and add keys as they see fit. The sshd
> already implements access control if there is a chance authorized_keys has
> been tampered with.

so why do password changes get notified then? i don't see the rationale
that says root should get notified if a user changes his password, but
not if he gives someone else access to the box... surely the point of a
security check is to notify potential new security risks? apart from him
probably not being authorised to make such decisions, the user himself
may not even be aware that something he's done has caused a key to be
added to his password file...

> If you really want to verify all changes to users authorized_keys file,
> change the ownership so users can't modify the file but still read it.

and how would you do that without blocking their entire home directory
then? :)

cheers,
Adam
--
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net
2 Bath Road                   http://www.aldigital.co.uk
London W4 1LT                 mailto:adam@algroup.co.uk
UNITED KINGDOM                PGP key on keyservers

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message