<div dir="ltr"><p>thanks Alain - your document is a useful faq but I'm looking at a policy to prevent DBA's etc so they don't use passwordless keys or leave ssh-agent running or other ssh bad practices. Users can create keys anywhere and I'm powerless to stop how they create them.<br>
</p><p>If a hacker got hold of password less keys they would control servers at ease.</p><p>I can't see options for sshd that lets your prevent you accepting passwordless keys or find any commercial/open software that does this with OpenSSH. </p>
<p>Any advice appreciated.</p><br><div class="gmail_quote">2008/9/16 Alain Williams <span dir="ltr"><<a href="mailto:addw@phcomp.co.uk">addw@phcomp.co.uk</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div class="Wj3C7c">On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:<br>
> Hi Everyone,<br>
><br>
> Does anyone know how to prevent the use of passwordless ssh keys? I want to<br>
> prevent users authenticating without a password.<br>
><br>
> In fact if anyone know of any ssh policing tools/faqs that would be really<br>
> usefull. I find it simple securing a server, but when you have 100's of<br>
> linux desktops I'm unsure on the best way to stop users leaving ssh-agent<br>
> running all the time or using passwordless keys.<br>
><br>
> Discussion/advise appreciated.<br>
<br>
</div></div>I have had a write up about this for some years:<br>
<br>
<a href="http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php" target="_blank">http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php</a><br>
<br>
Comments/suggestions gratefully received.<br>
<br>
--<br>
Alain Williams<br>
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.<br>
+44 (0) 787 668 0256 <a href="http://www.phcomp.co.uk/" target="_blank">http://www.phcomp.co.uk/</a><br>
Parliament Hill Computers Ltd. Registration Information: <a href="http://www.phcomp.co.uk/contact.php" target="_blank">http://www.phcomp.co.uk/contact.php</a><br>
Chairman of UKUUG: <a href="http://www.ukuug.org/#include" target="_blank">http://www.ukuug.org/<br>
#include</a> <std_disclaimer.h><br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</blockquote></div><br></div>