Re: SSH question

• Previous message: Brian Hatch: "Re: SSH question"
• In reply to: Brian Hatch: "Re: SSH question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Jul 2003 17:33:33 -0700
To: "Brian Hatch" <secure-shell@ifokr.org>

I believe you are right in that I mis-represented the issue. BTW we
already found the answer and I will put that in here also.
we set the authrized_key location in the sshd_config file to be a system
control area. /usr/local/etc/. That way we keep the control of
key usage. This essentially will tell the sshd to only look there for
keys and not in ~user/.ssh. This way you keep control of who can use key
auth and who can not. in our old case we just added different user keys
in /usr/local/etc/authorized_keys file and that enabled that user to ssh
to the machine as any valid user in the passwd. This was because when I
ssh someoneelse@hosta, so long as someoneelse can read
/usr/local/etc/authorized_keys, the authentication happens and I drop
into hosta as someoneelse.

The fix is to set the authorized_keys setting in sshd_config to be
/usr/local/etc/%u. Then chown username /usr/local/etc/%u, chmod 400
/usr/local/etc/%u. So for example, user bill,
Keyfile: /usr/local/etc/bill
                chown bill /usr/local/etc/bill,
                chmod 400 /usr/local/etc/bill.

That way when bill ssh from host to hosta as jim, jim would not have
access to read the key file and it would drop to password
authentication. however bill can still get in. Versus the old way where
so long as an attemp to login as jim was attempted since jim could read
the authorized file, the system would find a key for bill and let him in
as jim.

This is so difficult to explain in an email.

Please tell me if I have manged to confuse the issue further or clarify it.

Thanks,
AMS :-)

Brian Hatch wrote:

>
>
>>I hope someone can help with this finding.
>>We are investigating centralized control of the authorized_keys file in
>>a root owned directory with world readable permission so we can control
>>key usage. we have added user1@hosta's key into this file.
>>
>>
>
>You haven't really defined this well.
>
>authorized_keys files go into the .ssh directory of a specific
>user. So if I wanted the key 'id_rsa.pub' to be allowed to
>ssh into my account (jdoe) on host 'host-a', I'd do the following
>
> me@home$ cd ~/.ssh
> me@home$ ls
> id_rsa id_rsa.pub
>
> me@home$ scp id_rsa.pub jdoe@host-a:mykey.pub
> me@home$ ssh jdoe@host-a
> (type password, since the key isn't trusted yet.)
>
> jdoe@host-a$ mkdir .ssh ; chmod 700 .ssh . ; cd .ssh
> jdoe@host-a$ cat ../mykey.pub >> authorized_keys
> jdoe@host-a$ chmod 600 authorized_keys
>
> me@home$ ssh jdoe@host-a
> (no password required now.)
>
>
>Now, if I take my id_rsa key and copy it to some other
>machine (say my ISP, or my work machine, etc) then yes,
>I can use it to log into host-a with pubkey authentication.
>
>If I want to allow this key only from one host, then edit
>the authorized_keys file and add a 'from=' option, ala
>
> jdoe@host-a$ head -1 authorized_keys
> from=192.168.1.1 AAAAB3NzaC1yc2EAAAABIwAAAIEAp8Z4Efr8...
>
>
>
>>It seems that so long as user1 has a key on any machine, and it exists
>>in the authorized_keys file, user1 can ssh to those remote hosts as
>>anyone else.
>>
>>
>
>The user should only be able to log into an account that has included
>user1's public key in their authorized_keys file. This user couldn't
>log in as me if I don't have his pubkey in my authorized_keys file,
>for example.
>
>
>If I'm missunderstanding your situation, let me know.
>
>--
>Brian Hatch Never test the depth
> Systems and of the water with
> Security Engineer both feet.
>www.buildinglinuxvpns.net
>
>Every message PGP signed
>
>

-- 
Armin M. Safarians	Safeway Inc. 
VOICE: 925.944.4246 
EMAIL:armin.safarians@Safeway.com
****************************************************************
Success is the result of preparation, hard work, and learning
from mistakes.
****************************************************************
"MMS <safeway.com>" made the following annotations.
------------------------------------------------------------------------------
Warning: 
All e-mail sent to this address will be received by the Safeway corporate
e-mail system, and is subject to archival and review by someone other than the
recipient.  This e-mail may contain information proprietary to Safeway and is
intended only for the use of the intended recipient(s).  If the reader of this
message is not the intended recipient(s), you are notified that you have
received this message in error and that any review, dissemination,
distribution or copying of this message is strictly prohibited.  If you have
received this message in error, please notify the sender immediately. 
  
==============================================================================

• Previous message: Brian Hatch: "Re: SSH question"
• In reply to: Brian Hatch: "Re: SSH question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]