[Watford] SSH Questions
Yvan Seth
watford.lug.org.uk at malignity.net
Tue Sep 16 15:33:10 UTC 2008
On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:
> Hi Magnus, thanks for your input. I think that what Yvan said is true
> and that it will come down to policy even if I distributed the keys
> myself as users can update their own authorized_keys file in their
> .ssh folder. I guess if I get time I could police by locking down the
> authorized_keys file so users can't update it but will involve some
> testing.
>
> I could also check the authorized key file to ensure it only has keys
> generated by me inside it. mmmm, I need to go and do some testing.
Alas, Magnus's suggestion doesn't quite work. You can distribute
pre-passphrased keys but then your users (who obviously must know the
passphrase) can "unwwap" the key to an unprotected version (see the
ssh-keygen manpage.) Assuming you have mischievous users.
There is another completely different option... use an external key
dongle of some kind. See the -I option for the command-line SSH client.
I've never seen this in action and have no idea what the caveats are.
Top Google links for "ssh smartcard":
http://smartcard-auth.de/ssh-en.html
http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html
(Question for further research: what's to stop someone from simply
dumping the key data from the "smart" card?)
-Yvan
More information about the Watford
mailing list