[Gllug] Selective SSH logins

Garry Heaton garry at heaton6.freeserve.co.uk
Tue Aug 26 12:57:20 UTC 2008


Daniel P. Berrange wrote:

> And if you have  NFS home directories, and aren't requiring Keberized NFS
> clients, then SSH keys are worse than useless thanks to NFS' complete lack
> of a security model (ie it trusts clients to be truthful wrt to UIDs). And
> if you are requiring Kerberized NFS, then you can just use GSSAPI logins 
> anyway, so don't need SSH keys.  SSH keys + NFS home dirs == recipe for
> disaster.  Of course non-Kerberized NFS + password login is no better 
> either.
> 
> Daniel

This is for SFTP access to a webserver so no NFS issues. Currently I'm using 
IP filtering at the firewall with SSH password logins as there are only a 
couple of users but I'd like to switch to SSH key authentication and do away 
with the IP filtering.

Garry





-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list