Date: Mon, 10 Sep 2001 19:05:04 +0100 From: Adam Laurie <adam@algroup.co.uk> To: Alex Holst <a@area51.dk> Cc: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <3B9D00D0.C522C41A@algroup.co.uk> References: <001c01c1385e$d8e43400$f0f2a118@tampabay.rr.com> <Pine.BSF.4.10.10109101235200.46378-100000@federation.addy.com> <20010910180239.B59628@area51.dk> <3B9CF42B.FDBF942A@algroup.co.uk> <20010910181527.C59628@area51.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Holst wrote: > > Quoting Adam Laurie (adam@algroup.co.uk): > > Alex Holst wrote: > > > I assume you mean ~/.ssh/identity on the client side? If it's your server, > > > you can enforce rules on authorized_keys. I'm somewhat puzzled as RSA keys > > > are significantly stronger plain passwords. What do you use for > > > authentication? SecurID? CryptoCard? > > > > speaking of which, shouldn't the daily/weekly/monthly security checks > > notify if authorized_keys has changed in the same way that it does for a > > change of password? > > No, a user should be free to change and add keys as they see fit. The sshd > already implements access control if there is a chance authorized_keys has > been tampered with. so why do password changes get notified then? i don't see the rationale that says root should get notified if a user changes his password, but not if he gives someone else access to the box... surely the point of a security check is to notify potential new security risks? apart from him probably not being authorised to make such decisions, the user himself may not even be aware that something he's done has caused a key to be added to his password file... > If you really want to verify all changes to users authorized_keys file, > change the ownership so users can't modify the file but still read it. and how would you do that without blocking their entire home directory then? :) cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B9D00D0.C522C41A>