<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:Z="urn:schemas-microsoft-com:" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.gmailquote
{mso-style-name:gmail_quote;}
span.q
{mso-style-name:q;}
span.e
{mso-style-name:e;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi, <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> but is it not possible to limit file permissions to make
the .ssh directories read only to all but root? Or does ssh insist on having
write access?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Might be a silly question, but I had always thought this was one
of the inherent benefits of unix?<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Magnus<o:p></o:p></span></p>
<p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;
font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></a></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> watford-bounces@mailman.lug.org.uk
[mailto:watford-bounces@mailman.lug.org.uk] <b>On Behalf Of </b>Mark Stewart<br>
<b>Sent:</b> 16 September 2008 20:45<br>
<b>To:</b> watford@mailman.lug.org.uk<br>
<b>Subject:</b> Re: [Watford] SSH Questions<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<p class=MsoNormal>do you mean you store the path to the authorized_keys file
in ldap? Or the actual list of public keys?<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><br>
<o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><span class=gmailquote>On 16/09/2008, <b>Neel Upadhyaya</b>
<<a href="mailto:bahulneel@gmail.com">bahulneel@gmail.com</a>> wrote:</span>
<o:p></o:p></p>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'>You can offload this to
ldap. We do that here.<o:p></o:p></p>
<div>
<p class=MsoNormal><span class=q>2008/9/16 Mark Stewart <<a
href="mailto:markwstewart@gmail.com" target="_blank">markwstewart@gmail.com</a>></span><o:p></o:p></p>
<p class=MsoNormal>good - point. I want to avoid a PKI style role out - I'm
looking at <o:p></o:p></p>
<div>
<p class=MsoNormal><br>
<span class=e>ways of locking/changing location of the authorized_key file.<o:p></o:p></span></p>
<div>
<div>
<p class=MsoNormal><br>
On 16/09/2008, Yvan Seth <<a href="http://watford.lug.org.uk/"
target="_blank">watford.lug.org.uk</a>@<a href="http://malignity.net/"
target="_blank">malignity.net</a>> wrote:<br>
> On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:<br>
>> Hi Magnus, thanks for your input. I think that what Yvan said is true<br>
>> and that it will come down to policy even if I distributed the keys<br>
>> myself as users can update their own authorized_keys file in their<br>
>> .ssh folder. I guess if I get time I could police by locking down the<br>
>> authorized_keys file so users can't update it but will involve some<br>
>> testing.<br>
>><br>
>> I could also check the authorized key file to ensure it only has keys<br>
>> generated by me inside it. mmmm, I need to go and do some testing.<br>
><br>
> Alas, Magnus's suggestion doesn't quite work. You can distribute<br>
> pre-passphrased keys but then your users (who obviously must know the<br>
> passphrase) can "unwwap" the key to an unprotected version (see
the<br>
> ssh-keygen manpage.) Assuming you have mischievous users.<br>
><br>
> There is another completely different option... use an external key<br>
> dongle of some kind. See the -I option for the command-line SSH
client.<br>
> I've never seen this in action and have no idea what the caveats are.<br>
> Top Google links for "ssh smartcard":<br>
> <a href="http://smartcard-auth.de/ssh-en.html"
target="_blank">http://smartcard-auth.de/ssh-en.html</a><br>
> <a
href="http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html"
target="_blank">http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html</a><br>
> (Question for further research: what's to stop someone from simply<br>
> dumping the key data from the "smart" card?)<br>
><br>
> -Yvan<br>
><br>
> _______________________________________________<br>
> Watford mailing list<br>
> <a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
> <a href="https://mailman.lug.org.uk/mailman/listinfo/watford"
target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
><br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><br>
<br clear=all>
<br>
<span class=q>-- </span><br>
<span class=q>MCSE is to computers as McDonalds Certified Chef is to fine
cuisine.</span><o:p></o:p></p>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>