[Watford] SSH Questions

[Magnus Kelly]

> -----Original Message-----
> From: watford-bounces at mailman.lug.org.uk [mailto:watford-
> bounces at mailman.lug.org.uk] On Behalf Of Yvan Seth
> Sent: 16 September 2008 21:32
> To: watford at mailman.lug.org.uk
> Subject: Re: [Watford] SSH Questions
> 
> On Tue, Sep 16, 2008 at 09:27:49PM +0100, Magnus Kelly wrote:
> > but is it not possible to limit file permissions to make the .ssh
> > directories read only to all but root? Or does ssh insist on having
> > write access?
> >
> > Might be a silly question, but I had always thought this was one of
> > the inherent benefits of unix?
> 
> Yes, it is possible to lock down users' $HOME/.ssh directories, and
> doing this is one way you could lock them to only pre-approved SSH
> public keys.  The problem is that they have full control of the
private
> key, which is outside of your system.  If you give them a key with a
> passphrase, they can remove it at their end and there is no way for an
> ssh server to know that this has happened (passphrases are entirely
> handled at the ssh-client end.)
> 
> -Yvan
> 
[Magnus] Interesting - I had always thought that the pass phrase was
part of the two way communication, if I understand you the password is
never seen on the wire in any form. Got it.

Then is it not possible to control which account the ssh key opens and
then force the user to su post login to a password protected account
that does not allow direct login - hence without the key you can't try
and login to the correct account that has the rights to perform the
legit remote process.

On a related note - can the expensive commercial number generator
systems that produce a dynamic password be created from only open source
if coupled with a custom usb type dongle?


> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford