[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ncftp

To: luci-discuss@luci.org
Subject: Re: ncftp
From: John Corey <john@jcorey.org>
Date: Tue, 13 Jun 2000 14:31:05 -0500
Organization: Linux Users of Central Illinois
References: <Pine.LNX.4.10.10006122320440.4421-100000@web1.lanscape.net> <Pine.LNX.3.96.1000613092806.31223C-100000@sandman.lunarmedia.net> <20000613120124.A32667@pyro.cloudmaster.com>
Reply-To: luci-discuss@luci.org
Sender: owner-luci-discuss@luci.org


Danny Sauer wrote:
> 
> Yeah, you just copy your identity.pub over to the server, and do a
> cat identity.pub >> ~/.ssh/authorized_keys
> 
> sauer@pyro:/home/nfs/sauer > ls -l .ssh/identity*
> -rw-------   1 sauer    users         525 May 24 21:22 .ssh/identity
> -rw-r--r--   1 sauer    users         329 May 24 21:22 .ssh/identity.pub
> sauer@pyro:/home/nfs/sauer > ls -l .ssh/authorized_keys
> -rw-------   1 sauer    users        1674 May 24 21:58 .ssh/authorized_keys
> 
> And a quote from the ssh man page (re: RSA authentication):
>      The file
>      $HOME/.ssh/authorized_keys lists the public keys that are permitted for
>      logging in.  When the user logs in, the ssh program tells the server
>      which key pair it would like to use for authentication.  The server
>      checks if this key is permitted, and if so, sends the user (actually the
>      ssh program running on behalf of the user) a challenge, a random number,
>      encrypted by the user's public key.  The challenge can only be decrypted
>      using the proper private key.  The user's client then decrypts the chal
>      lenge using the private key, proving that he/she knows the private key
>      but without disclosing it to the server.
> 
> So, as long as your private key is not readable by anyone else, you should be
> OK as far as your security goes.  I use it, and it's made my life a lot easier.
> :)
> 

... until someone gets root on that box and then has free access to
anywhere that key works.  The ssh server config has a line about asking
for passwords, when set it asks for passwords on top of the key, when
not set it allows you in with the key only.

I was reading through this month's Linux Journal, and there is an
article in the back that talks about a couple options ("Command" I think
one was) that you can put in the server config to allow certain users to
only execute a certain command.  This would then make it futile if
someone gets that key, as they could only do some menial task and not
have a full shell.

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

References:
- Re: ncftp
  - From: Kara Pritchard <kara@linux.com>
- Re: ncftp
  - From: Charles Menzes <charles@lunarmedia.net>
- Re: ncftp
  - From: Danny Sauer <sauer@cloudmaster.com>

Prev by Date: Re: Bounce email
Next by Date: Re: Newbie Night Meeting (was)Re: server problems
Prev by thread: Re: ncftp
Next by thread: server problems
Index(es):
- Date
- Thread