[Gllug] Selective SSH logins
Daniel P. Berrange
dan at berrange.com
Tue Aug 26 12:45:03 UTC 2008
On Tue, Aug 26, 2008 at 01:39:35PM +0100, - Tethys wrote:
> On Tue, Aug 26, 2008 at 1:26 PM, James Laver <gllug at jameslaver.com> wrote:
>
> > I assume you have reasonable justification beyond "I'm incapable of keeping
> > my private key safe"?
>
> That's justification enough in my eyes. Overall system security is
> only as strong as its weakest component. The more remote users you
> have, the higher the chance that one of them has a compromised private
> key. Don't get me wrong, ssh keys have their uses, and I use them
> extensively. But they're not without their problems, and few seem to
> admit that those problems exist. Like everything else in the security
> world, ssh keys are a tradeoff. In this case, increasing protection
> against snooping, at the expense of losing control over the security
> of the private keys (and hence overall system security).
And if you have NFS home directories, and aren't requiring Keberized NFS
clients, then SSH keys are worse than useless thanks to NFS' complete lack
of a security model (ie it trusts clients to be truthful wrt to UIDs). And
if you are requiring Kerberized NFS, then you can just use GSSAPI logins
anyway, so don't need SSH keys. SSH keys + NFS home dirs == recipe for
disaster. Of course non-Kerberized NFS + password login is no better
either.
Daniel
--
|: http://berrange.com/ -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/ -o- http://gtk-vnc.sourceforge.net :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080826/d58454ff/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list