[Watford] SSH Questions
Mark Stewart
markwstewart at gmail.com
Wed Sep 17 08:18:51 UTC 2008
I meant the path to the file, not a list. You answered my question about
storing the keys in AD. But by virtue of users being able to remove
passwords from their private key this won't help me.
2008/9/17 Neel Upadhyaya <bahulneel at gmail.com>
> [mark] do you mean you store the path to the authorized_keys file in ldap?
> Or the actual list of public keys?
>
> Yes the keys are all stored in ldap against the user accounts allowing
> central key management,
>
> 2008/9/16 Mark Stewart <markwstewart at gmail.com>
>
>> do you mean you store the path to the authorized_keys file in ldap? Or the
>> actual list of public keys?
>>
>>
>> On 16/09/2008, Neel Upadhyaya <bahulneel at gmail.com> wrote:
>>>
>>> You can offload this to ldap. We do that here.
>>>
>>> 2008/9/16 Mark Stewart <markwstewart at gmail.com>
>>>
>>>> good - point. I want to avoid a PKI style role out - I'm looking at
>>>> ways of locking/changing location of the authorized_key file.
>>>>
>>>> On 16/09/2008, Yvan Seth <watford.lug.org.uk at malignity.net> wrote:
>>>> > On Tue, Sep 16, 2008 at 03:29:54PM +0100, Mark Stewart wrote:
>>>> >> Hi Magnus, thanks for your input. I think that what Yvan said is true
>>>> >> and that it will come down to policy even if I distributed the keys
>>>> >> myself as users can update their own authorized_keys file in their
>>>> >> .ssh folder. I guess if I get time I could police by locking down the
>>>> >> authorized_keys file so users can't update it but will involve some
>>>> >> testing.
>>>> >>
>>>> >> I could also check the authorized key file to ensure it only has keys
>>>> >> generated by me inside it. mmmm, I need to go and do some testing.
>>>> >
>>>> > Alas, Magnus's suggestion doesn't quite work. You can distribute
>>>> > pre-passphrased keys but then your users (who obviously must know the
>>>> > passphrase) can "unwwap" the key to an unprotected version (see the
>>>> > ssh-keygen manpage.) Assuming you have mischievous users.
>>>> >
>>>> > There is another completely different option... use an external key
>>>> > dongle of some kind. See the -I option for the command-line SSH
>>>> client.
>>>> > I've never seen this in action and have no idea what the caveats are.
>>>> > Top Google links for "ssh smartcard":
>>>> > http://smartcard-auth.de/ssh-en.html
>>>> > http://www.faqs.org/docs/Linux-HOWTO/Smart-Card-HOWTO.html
>>>> > (Question for further research: what's to stop someone from simply
>>>> > dumping the key data from the "smart" card?)
>>>> >
>>>> > -Yvan
>>>> >
>>>> > _______________________________________________
>>>> > Watford mailing list
>>>> > Watford at mailman.lug.org.uk
>>>> > https://mailman.lug.org.uk/mailman/listinfo/watford
>>>> >
>>>>
>>>> _______________________________________________
>>>> Watford mailing list
>>>> Watford at mailman.lug.org.uk
>>>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> MCSE is to computers as McDonalds Certified Chef is to fine cuisine.
>>>
>>> _______________________________________________
>>> Watford mailing list
>>> Watford at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>>
>>>
>>
>> _______________________________________________
>> Watford mailing list
>> Watford at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>
>>
>
>
> --
> MCSE is to computers as McDonalds Certified Chef is to fine cuisine.
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080917/1627947d/attachment.htm
More information about the Watford
mailing list