<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.gmailquote
        {mso-style-name:gmail_quote;}
span.q
        {mso-style-name:q;}
span.e
        {mso-style-name:e;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-GB link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi, <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>&nbsp;but is it not possible to limit file permissions to make
the .ssh directories read only to all but root? Or does ssh insist on having
write access?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Might be a silly question, but I had always thought this was one
of the inherent benefits of unix?<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Magnus<o:p></o:p></span></p>

<p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p>&nbsp;</o:p></span></a></p>

<div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'>

<div>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>

<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> watford-bounces@mailman.lug.org.uk
[mailto:watford-bounces@mailman.lug.org.uk] <b>On Behalf Of </b>Mark Stewart<br>
<b>Sent:</b> 16 September 2008 20:45<br>
<b>To:</b> watford@mailman.lug.org.uk<br>
<b>Subject:</b> Re: [Watford] SSH Questions<o:p></o:p></span></p>

</div>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>do you mean you store the path to the authorized_keys file
in ldap? Or the actual list of public keys?<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><br>
&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><span class=gmailquote>On 16/09/2008, <b>Neel Upadhyaya</b>
&lt;<a href="mailto:bahulneel@gmail.com">bahulneel@gmail.com</a>&gt; wrote:</span>
<o:p></o:p></p>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'>You can offload this to
ldap.&nbsp; We do that here.<o:p></o:p></p>

<div>

<p class=MsoNormal><span class=q>2008/9/16 Mark Stewart &lt;<a
href="mailto:markwstewart@gmail.com" target="_blank">markwstewart@gmail.com</a>&gt;</span><o:p></o:p></p>

<p class=MsoNormal>good - point. I want to avoid a PKI style role out - I'm
looking at <o:p></o:p></p>

<div>

<p class=MsoNormal><br>
<span class=e>ways of locking/changing location of the authorized_key file.<o:p></o:p></span></p>

<div>

<div>

<p class=MsoNormal><br>
On 16/09/2008, Yvan Seth &lt;<a href="http://watford.lug.org.uk/"
target="_blank">watford.lug.org.uk</a>@<a href="http://malignity.net/"
target="_blank">malignity.net</a>&gt; wrote:<br>
&gt; On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:<br>
&gt;&gt; Hi Magnus, thanks for your input. I think that what Yvan said is true<br>
&gt;&gt; and that it will come down to policy even if I distributed the keys<br>
&gt;&gt; myself as users can update their own authorized_keys file in their<br>
&gt;&gt; .ssh folder. I guess if I get time I could police by locking down the<br>
&gt;&gt; authorized_keys file so users can't update it but will involve some<br>
&gt;&gt; testing.<br>
&gt;&gt;<br>
&gt;&gt; I could also check the authorized key file to ensure it only has keys<br>
&gt;&gt; generated by me inside it. mmmm, I need to go and do some testing.<br>
&gt;<br>
&gt; Alas, Magnus's suggestion doesn't quite work. &nbsp;You can distribute<br>
&gt; pre-passphrased keys but then your users (who obviously must know the<br>
&gt; passphrase) can &quot;unwwap&quot; the key to an unprotected version (see
the<br>
&gt; ssh-keygen manpage.) &nbsp;Assuming you have mischievous users.<br>
&gt;<br>
&gt; There is another completely different option... use an external key<br>
&gt; dongle of some kind. &nbsp;See the -I option for the command-line SSH
client.<br>
&gt; I've never seen this in action and have no idea what the caveats are.<br>
&gt; Top Google links for &quot;ssh smartcard&quot;:<br>
&gt; &nbsp; &nbsp; <a href="http://smartcard-auth.de/ssh-en.html"
target="_blank">http://smartcard-auth.de/ssh-en.html</a><br>
&gt; &nbsp; &nbsp; <a
href="http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html"
target="_blank">http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html</a><br>
&gt; (Question for further research: what's to stop someone from simply<br>
&gt; dumping the key data from the &quot;smart&quot; card?)<br>
&gt;<br>
&gt; -Yvan<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; Watford mailing list<br>
&gt; <a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
&gt; <a href="https://mailman.lug.org.uk/mailman/listinfo/watford"
target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
&gt;<br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
&nbsp;<o:p></o:p></p>

</div>

</div>

</div>

</div>

<p class=MsoNormal><br>
<br clear=all>
<br>
<span class=q>-- </span><br>
<span class=q>MCSE is to computers as McDonalds Certified Chef is to fine
cuisine.</span><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><o:p></o:p></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

</div>

</body>

</html>