[Gllug] Selective SSH logins

Daniel P. Berrange dan at berrange.com
Tue Aug 26 12:45:03 UTC 2008

On Tue, Aug 26, 2008 at 01:39:35PM +0100, - Tethys wrote:
> On Tue, Aug 26, 2008 at 1:26 PM, James Laver <gllug at jameslaver.com> wrote:
> > I assume you have reasonable justification beyond "I'm incapable of keeping
> > my private key safe"?
> That's justification enough in my eyes. Overall system security is
> only as strong as its weakest component. The more remote users you
> have, the higher the chance that one of them has a compromised private
> key. Don't get me wrong, ssh keys have their uses, and I use them
> extensively. But they're not without their problems, and few seem to
> admit that those problems exist. Like everything else in the security
> world, ssh keys are a tradeoff. In this case, increasing protection
> against snooping, at the expense of losing control over the security
> of the private keys (and hence overall system security).

And if you have  NFS home directories, and aren't requiring Keberized NFS
clients, then SSH keys are worse than useless thanks to NFS' complete lack
of a security model (ie it trusts clients to be truthful wrt to UIDs). And
if you are requiring Kerberized NFS, then you can just use GSSAPI logins 
anyway, so don't need SSH keys.  SSH keys + NFS home dirs == recipe for
disaster.  Of course non-Kerberized NFS + password login is no better 

|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080826/d58454ff/attachment.pgp>
-------------- next part --------------
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list