[Watford] SSH Questions

Magnus Kelly magnus.kelly at mapesbury.com
Tue Sep 16 20:28:11 UTC 2008


Hi, 

 but is it not possible to limit file permissions to make the .ssh
directories read only to all but root? Or does ssh insist on having
write access?

Might be a silly question, but I had always thought this was one of the
inherent benefits of unix?

Magnus

 

From: watford-bounces at mailman.lug.org.uk
[mailto:watford-bounces at mailman.lug.org.uk] On Behalf Of Mark Stewart
Sent: 16 September 2008 20:45
To: watford at mailman.lug.org.uk
Subject: Re: [Watford] SSH Questions

 

do you mean you store the path to the authorized_keys file in ldap? Or
the actual list of public keys?


 

On 16/09/2008, Neel Upadhyaya <bahulneel at gmail.com> wrote: 

You can offload this to ldap.  We do that here.

2008/9/16 Mark Stewart <markwstewart at gmail.com>

good - point. I want to avoid a PKI style role out - I'm looking at 


ways of locking/changing location of the authorized_key file.


On 16/09/2008, Yvan Seth <watford.lug.org.uk
<http://watford.lug.org.uk/> @malignity.net <http://malignity.net/> >
wrote:
> On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:
>> Hi Magnus, thanks for your input. I think that what Yvan said is true
>> and that it will come down to policy even if I distributed the keys
>> myself as users can update their own authorized_keys file in their
>> .ssh folder. I guess if I get time I could police by locking down the
>> authorized_keys file so users can't update it but will involve some
>> testing.
>>
>> I could also check the authorized key file to ensure it only has keys
>> generated by me inside it. mmmm, I need to go and do some testing.
>
> Alas, Magnus's suggestion doesn't quite work.  You can distribute
> pre-passphrased keys but then your users (who obviously must know the
> passphrase) can "unwwap" the key to an unprotected version (see the
> ssh-keygen manpage.)  Assuming you have mischievous users.
>
> There is another completely different option... use an external key
> dongle of some kind.  See the -I option for the command-line SSH
client.
> I've never seen this in action and have no idea what the caveats are.
> Top Google links for "ssh smartcard":
>     http://smartcard-auth.de/ssh-en.html
>     http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html
> (Question for further research: what's to stop someone from simply
> dumping the key data from the "smart" card?)
>
> -Yvan
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>

_______________________________________________
Watford mailing list
Watford at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/watford
 




-- 
MCSE is to computers as McDonalds Certified Chef is to fine cuisine.


_______________________________________________
Watford mailing list
Watford at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/watford

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080916/a381fc92/attachment.htm 


More information about the Watford mailing list