Re: authentication method shell variable?




--- Greg Wooledge <wooledg@xxxxxxxxxxx> wrote:

On Sun, Aug 27, 2006 at 07:28:06AM -0400, Jaqui
Greenlees wrote:
In a recent discussion about secure ssh use the
idea
of having ssh export the authentication method as
a
shll variable. The idea being to limit su access
to
only those who have used a public / private key
pair
for authentication.

What prevents the black-hat cracker from simply
setting that environment
variable after getting in using a password?

The fact that access to su is granted by
authentication to start the bash session, not when su
is invoked.
the shell variable is only invoked by the shell during
the session start process to limit or allow the
access.

Although it would be more work, you might consider
developing a system
that grants group membership (e.g. in the "wheel"
group) after appropriate
authentication. Then restrict "su" to those who are
in that group.

In effect, I'm wanting to do exactly this, by using
the authentication method for the ssh tunnel to
determine the group membership. only thos using the ky
pair gt the access to admin tools.
This limits remote admin to those you have set up the
key pair access for on the system, yt doesn't stop use
of the other authentication methods for remote access,
only limits their access to the system admin tools.

This type of functionality would bnefit large networks
or web hosting companies that do allow ssh access to
account holders, yet not interfere with the remote
access for administration staff tasks. A trusted and
non trusted account holder status.
( trusted are the staff, non trusted ar the clients )


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com



Relevant Pages

  • RE: Remote Virtual Directory problems
    ... but I can't when I use third party products like ... >authentication method, the remote directory in your IIS ...
    (microsoft.public.inetserver.iis.security)
  • RE: Remote Virtual Directory problems
    ... I was able to access remote files when I point to them ... >authentication method, the remote directory in your IIS ...
    (microsoft.public.inetserver.iis.security)