Openssh, operator controlled authorized_keys



I want to control access to my machines via public keys. I'm
implanting the private key in a smartcard-like token, and giving the
tokens to people for access. They'll use the tokens like smartcards,
and ssh-agent can use those RSA keys on the tokens.

However, I don't want people to authorize other public keys (ie, not
on physical tokens) after they've logged in.

How do I configure openssh so that it'll permit a public key for a
user, without giving the user the oppertunity to change/add public
keys to the authorized list?

Also, is there a way to have a single file with the authorized keys
for *all* users? Like /etc/shadow, but for public keys rather than
passwrods.

Thanks.

Steve



Relevant Pages

  • Re: Secret sharing algorithm with chosen keys
    ... But I'd like to be able to reconstruct the shared secret even ... then protect the shared secret with multiple decryption keys, ... to precompute the public file: ... Given T tokens, ...
    (sci.crypt)
  • Re: [fw-wiz] Username password VS hardware token plus PIN
    ... personally I prefer the time-based tokens to a normal dongle... ... They tend to forget about "software keys" like certificates. ... Will he format his harddrive with the Cisco VPN ...
    (Firewall-Wizards)
  • Re: Openssh, operator controlled authorized_keys
    ... They'll use the tokens like smartcards, ... and ssh-agent can use those RSA keys on the tokens. ... However, I don't want people to authorize other public keys (ie, not ...
    (SSH)
  • Security tokens
    ... I wonder if you have different tokens with different keys, ... and token B given the same challenge will create the cipher texts CA ... Ok Before you have one challenge-response pair I suppouse that there ...
    (microsoft.public.security)
  • Re: SSH2 question?
    ... is sufficiently well secured that keys cannot be modified by anyone other ... Public keys and the authorized_keys ... file must be stored relative to the home directory of the account they ... Note that this location is relative to the home directory of the account ...
    (freebsd-questions)