SSH question
From: Armin M. Safarians (armin.safarians_at_safeway.com)
Date: 07/16/03
- Previous message: Ed J. Aivazian: "Re: Allow logins by username"
- Next in thread: Brian Hatch: "Re: SSH question"
- Reply: Brian Hatch: "Re: SSH question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Jul 2003 08:59:10 -0700 To: secureshell@securityfocus.com
I hope someone can help with this finding.
We are investigating centralized control of the authorized_keys file in
a root owned directory with world readable permission so we can control
key usage. we have added user1@hosta's key into this file.
Here is the situation:
user1@hosta has a key on hostb in the authorized_keys file.
from hosta, user1 can ssh user2@hostb and login using user1's key
(doesn't matter if a passphrase is set or not, if an agent is running or
not)
It seems that so long as user1 has a key on any machine, and it exists
in the authorized_keys file, user1 can ssh to those remote hosts as
anyone else.
It seems that the commercial version has solve this by not adding the
key itself in the authorized_keys file, rather a directive "Key
user1key.pub" and then controlling the read on the key file to only user1.
AMS :-)
-- Armin M. Safarians Safeway Inc. VOICE: 925.944.4246 EMAIL:armin.safarians@Safeway.com **************************************************************** Success is the result of preparation, hard work, and learning from mistakes. **************************************************************** "MMS <safeway.com>" made the following annotations. ------------------------------------------------------------------------------ Warning: All e-mail sent to this address will be received by the Safeway corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain information proprietary to Safeway and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. ==============================================================================
- Previous message: Ed J. Aivazian: "Re: Allow logins by username"
- Next in thread: Brian Hatch: "Re: SSH question"
- Reply: Brian Hatch: "Re: SSH question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
