[Watford] SSH Questions
Neel Upadhyaya
bahulneel at gmail.com
Tue Sep 16 17:13:17 UTC 2008
You can offload this to ldap. We do that here.
2008/9/16 Mark Stewart <markwstewart at gmail.com>
> good - point. I want to avoid a PKI style role out - I'm looking at
> ways of locking/changing location of the authorized_key file.
>
> On 16/09/2008, Yvan Seth <watford.lug.org.uk at malignity.net> wrote:
> > On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:
> >> Hi Magnus, thanks for your input. I think that what Yvan said is true
> >> and that it will come down to policy even if I distributed the keys
> >> myself as users can update their own authorized_keys file in their
> >> .ssh folder. I guess if I get time I could police by locking down the
> >> authorized_keys file so users can't update it but will involve some
> >> testing.
> >>
> >> I could also check the authorized key file to ensure it only has keys
> >> generated by me inside it. mmmm, I need to go and do some testing.
> >
> > Alas, Magnus's suggestion doesn't quite work. You can distribute
> > pre-passphrased keys but then your users (who obviously must know the
> > passphrase) can "unwwap" the key to an unprotected version (see the
> > ssh-keygen manpage.) Assuming you have mischievous users.
> >
> > There is another completely different option... use an external key
> > dongle of some kind. See the -I option for the command-line SSH client.
> > I've never seen this in action and have no idea what the caveats are.
> > Top Google links for "ssh smartcard":
> > http://smartcard-auth.de/ssh-en.html
> > http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html
> > (Question for further research: what's to stop someone from simply
> > dumping the key data from the "smart" card?)
> >
> > -Yvan
> >
> > _______________________________________________
> > Watford mailing list
> > Watford at mailman.lug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/watford
> >
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
--
MCSE is to computers as McDonalds Certified Chef is to fine cuisine.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080916/92803e0e/attachment-0001.htm
More information about the Watford
mailing list