[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RedHat 7 distribution cds



On Wed, Mar 07, 2001, Ilya Konstantinov wrote about "Re: RedHat 7 distribution cds":
> On Wed, Mar 07, 2001 at 04:53:58PM +0200, Nadav Har'El wrote:
> > There are other rules, like "Never run anything that sends shell-account
> > passwords cleartext" (telnet is obviously a faux-pas, but so are
> > non-anonymous FTP and Pop3 - unless these accounts are shell-less),
> > but I'll leave some for another time ;)
> 
> Or if your shell-owning users are too stupid to avoid using POP3,
> make sshd work with RSA keys only. That way, even if the regular
> password is grabbed, it'll be useless to get a shell.

This is a great idea. When you create an account for someone, rather than
giving them a random password, ask them for _their_ public key (ask them
for their ~/.ssh/identity.pub, or the ssh2 equivalent, and if they don't
have that yet they should run ssh-keygen [-d]). While I've been using
ssh with RSA keys for a long time, last week was the first time that it
dawned on me that I can actually create an account without a password, and
log into it only using an RSA key. So far so good.

The only downside to this method is that users that are used to move between
different terminals and logging in will need to start carrying their private
keys on diskettes with them, or download them (encrypted, of course) from
the net all the time. Alternatively, the user can log in from one terminal
to add the public key he uses in another terminal. This is a bit of a hassle.

P.S. obviously RSA keys have their own share of security problems. If you
allow logins using the key of a less-secure account into a more-secure
account, this essentially means that anybody breaking into your less-secure
account will automatically be able to break into your more-secure account
which is Bad. So RSA keys aren't the security silver bullet, but they can
sure come in handy.

-- 
Nadav Har'El                        |      Wednesday, Mar 7 2001, 13 Adar 5761
nyh@math.technion.ac.il             |-----------------------------------------
Phone: +972-53-245868, ICQ 13349191 |Linux: Because rebooting is for adding
http://nadav.harel.org.il           |new hardware.

=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il