[Gllug] Selective SSH logins
John Edwards
john at cornerstonelinux.co.uk
Tue Aug 26 18:26:13 UTC 2008
On Tue, Aug 26, 2008 at 06:35:52PM +0100, Jose Luis Martinez wrote:
> 2008/8/26 Daniel P. Berrange <dan at berrange.com>:
> <snip>
>
>> And if you have NFS home directories, and aren't requiring Keberized NFS
>> clients, then SSH keys are worse than useless thanks to NFS' complete lack
>> of a security model (ie it trusts clients to be truthful wrt to UIDs). And
>> if you are requiring Kerberized NFS, then you can just use GSSAPI logins
>> anyway, so don't need SSH keys. SSH keys + NFS home dirs == recipe for
>> disaster. Of course non-Kerberized NFS + password login is no better
>
> In a previous job of mine NFS + ssh keys was a grave offence that
> could lead to dismissal, a justified policy if you ask me.
Even when protected by a passphrase?
There's a lot worse that can happen when you share your home
directory over NFS, such as adding things to .bashrc, for
example a key logging shell which will capture your passwords.
--
#---------------------------------------------------------#
| John Edwards Email: john at cornerstonelinux.co.uk |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080826/5c6d387a/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list