[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ncftp




Danny Sauer wrote:
> 
> Yeah, you just copy your identity.pub over to the server, and do a
> cat identity.pub >> ~/.ssh/authorized_keys
> 
> sauer@pyro:/home/nfs/sauer > ls -l .ssh/identity*
> -rw-------   1 sauer    users         525 May 24 21:22 .ssh/identity
> -rw-r--r--   1 sauer    users         329 May 24 21:22 .ssh/identity.pub
> sauer@pyro:/home/nfs/sauer > ls -l .ssh/authorized_keys
> -rw-------   1 sauer    users        1674 May 24 21:58 .ssh/authorized_keys
> 
> And a quote from the ssh man page (re: RSA authentication):
>      The file
>      $HOME/.ssh/authorized_keys lists the public keys that are permitted for
>      logging in.  When the user logs in, the ssh program tells the server
>      which key pair it would like to use for authentication.  The server
>      checks if this key is permitted, and if so, sends the user (actually the
>      ssh program running on behalf of the user) a challenge, a random number,
>      encrypted by the user's public key.  The challenge can only be decrypted
>      using the proper private key.  The user's client then decrypts the chal­
>      lenge using the private key, proving that he/she knows the private key
>      but without disclosing it to the server.
> 
> So, as long as your private key is not readable by anyone else, you should be
> OK as far as your security goes.  I use it, and it's made my life a lot easier.
> :)
> 

... until someone gets root on that box and then has free access to
anywhere that key works.  The ssh server config has a line about asking
for passwords, when set it asks for passwords on top of the key, when
not set it allows you in with the key only.

I was reading through this month's Linux Journal, and there is an
article in the back that talks about a couple options ("Command" I think
one was) that you can put in the server config to allow certain users to
only execute a certain command.  This would then make it futile if
someone gets that key, as they could only do some menial task and not
have a full shell.

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.