<div dir="ltr"><p>Hi Magnus, thanks for your input. I think that what Yvan said is true and that it will come down to policy even if I distributed the keys myself as users can update their own authorized_keys file in their .ssh folder. I guess if I get time I could police by locking down the authorized_keys file so users can't update it but will involve some testing.</p>
<p>I could also check the authorized key file to ensure it only has keys generated by me inside it. mmmm, I need to go and do some testing.<br></p><br><div class="gmail_quote">2008/9/16 Magnus Kelly <span dir="ltr"><<a href="mailto:magnus.kelly@mapesbury.com">magnus.kelly@mapesbury.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi,<br>
<br>
Would it not be possible to generate centrally password protected keys<br>
and then distribute the private key to the people who require them?<br>
(fter installing the other key pair on the servers that need remote<br>
access?)<br>
<br>
Would this not achieve two things a) Prevent non password keys from<br>
being used and b) prevent anyone from being able to lock the system<br>
owner from being locked out?<br>
<font color="#888888"><br>
Magnus<br>
</font><div><div class="Wj3C7c"><br>
> -----Original Message-----<br>
> From: <a href="mailto:watford-bounces@mailman.lug.org.uk">watford-bounces@mailman.lug.org.uk</a> [mailto:<a href="mailto:watford-">watford-</a><br>
> <a href="mailto:bounces@mailman.lug.org.uk">bounces@mailman.lug.org.uk</a>] On Behalf Of Yvan Seth<br>
> Sent: 16 September 2008 13:41<br>
> To: <a href="mailto:watford@mailman.lug.org.uk">watford@mailman.lug.org.uk</a><br>
> Subject: Re: [Watford] SSH Questions<br>
><br>
> On Tue, Sep 16, 2008 at 11:16:12AM +0100, Mark Stewart wrote:<br>
> > thanks Alain - your document is a useful faq but I'm looking at a<br>
> > policy to prevent DBA's etc so they don't use passwordless keys or<br>
> > leave ssh-agent running or other ssh bad practices. Users can create<br>
> > keys anywhere and I'm powerless to stop how they create them.<br>
> ><br>
> > If a hacker got hold of password less keys they would control<br>
servers<br>
> > at ease.<br>
> ><br>
> > I can't see options for sshd that lets your prevent you accepting<br>
> > passwordless keys or find any commercial/open software that does<br>
this<br>
> > with OpenSSH.<br>
><br>
> Hi Mark,<br>
><br>
> Passphrases on SSH keys are 100% handled at the client side. There is<br>
> no way to know at your server-end whether or not the key used was<br>
> protected by a passphrase or not (or provided by an ssh-agent for that<br>
> matter.)<br>
><br>
> The best you can do is "implement policy."<br>
><br>
> The alternative is to not allow key based authentication. Permit<br>
> password authentication only and strengthen up your password quality<br>
> requirements.<br>
><br>
> Both ways have their downsides.<br>
><br>
> -Yvan<br>
><br>
> _______________________________________________<br>
> Watford mailing list<br>
> <a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
> <a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></blockquote></div><br></div>