[Watford] SSH Questions
Mark Stewart
markwstewart at gmail.com
Tue Sep 16 14:29:55 UTC 2008
Hi Magnus, thanks for your input. I think that what Yvan said is true and
that it will come down to policy even if I distributed the keys myself as
users can update their own authorized_keys file in their .ssh folder. I
guess if I get time I could police by locking down the authorized_keys file
so users can't update it but will involve some testing.
I could also check the authorized key file to ensure it only has keys
generated by me inside it. mmmm, I need to go and do some testing.
2008/9/16 Magnus Kelly <magnus.kelly at mapesbury.com>
> Hi,
>
> Would it not be possible to generate centrally password protected keys
> and then distribute the private key to the people who require them?
> (fter installing the other key pair on the servers that need remote
> access?)
>
> Would this not achieve two things a) Prevent non password keys from
> being used and b) prevent anyone from being able to lock the system
> owner from being locked out?
>
> Magnus
>
> > -----Original Message-----
> > From: watford-bounces at mailman.lug.org.uk [mailto:watford-
> > bounces at mailman.lug.org.uk] On Behalf Of Yvan Seth
> > Sent: 16 September 2008 13:41
> > To: watford at mailman.lug.org.uk
> > Subject: Re: [Watford] SSH Questions
> >
> > On Tue, Sep 16, 2008 at 11:16:12AM +0100, Mark Stewart wrote:
> > > thanks Alain - your document is a useful faq but I'm looking at a
> > > policy to prevent DBA's etc so they don't use passwordless keys or
> > > leave ssh-agent running or other ssh bad practices. Users can create
> > > keys anywhere and I'm powerless to stop how they create them.
> > >
> > > If a hacker got hold of password less keys they would control
> servers
> > > at ease.
> > >
> > > I can't see options for sshd that lets your prevent you accepting
> > > passwordless keys or find any commercial/open software that does
> this
> > > with OpenSSH.
> >
> > Hi Mark,
> >
> > Passphrases on SSH keys are 100% handled at the client side. There is
> > no way to know at your server-end whether or not the key used was
> > protected by a passphrase or not (or provided by an ssh-agent for that
> > matter.)
> >
> > The best you can do is "implement policy."
> >
> > The alternative is to not allow key based authentication. Permit
> > password authentication only and strengthen up your password quality
> > requirements.
> >
> > Both ways have their downsides.
> >
> > -Yvan
> >
> > _______________________________________________
> > Watford mailing list
> > Watford at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/watford
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080916/7f57dc5e/attachment.htm
More information about the Watford
mailing list