Re: public key authentication

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 07/21/05 

Date: Thu, 21 Jul 2005 07:12:07 -0400

"jayjwa" <jayjwa@spam.this.invalid> wrote in message
news:slrnddujav.mi8.jayjwa@atr2.ath.cx...
> On 2005-07-20, Richard E. Silverman wrote:
>
>>> AllowUsers (the users you want to allow ssh'ing into this serv.)
>>> AllowGroups users
>>
>> An account must pass both these tests to be logged in, so why use both?
>> It's easier to just create a separate group for SSH access and use
>> AllowGroups only, or allow the "users" group if you want to grant SSH
>> access to all users. You can then grant/deny SSH access without touching
>> the SSH configuration.
>>
>>> DenyUsers root bin mail shutdown (all those other logins in passwd file)
>>> DenyGroups root bin cdrom (same here, with group file)
>>
>> Same comment, not much point to this -- the AllowGroups statement already
>> denies access to any account not in the given groups.
>
> I don't remember asking for a review of how I do things, but whatever...
>
>
>>> Putting passwords on the keys is up to you. If you do, you'll have to
>>> type
>>> that in each and every time you ssh someplace. I guess it depends on how
>>> good
>>> your other security is.
>>
>> This is false and bad advice; use ssh-agent.
>>
>> http://www.snailbook.com/faq/no-passphrase.auto.html
>
> No, it is not false, nor it is bad advise. It is how *you* do something.
> Up
> top, first line, I say clearly "putting passwords on keys is up to you".
> Your
> way is one way, mine is another. Just because you don't do it doesn't make
> it
> wrong. I couldn't care less what URL's you quote either. Learn a little
> about
> the person you're attacking before doing so, maybe they know something.

It's still quite false, becuase there are literally dozens of excellent
tools for unlocking and managing your keys locally as part of a session, or
even keeping them for you across sessions (such as "keychain"). It's way,
way, way too easy to steal people's SSH private keys, especially if they're
in a networked home directory environment or use corporate backup tapes to
back up their desktops. Using unencrypted keys is begging for them to be
stolen.

The only thing that's kept me from stealing people's SSH keys from NFS
directories by loggin as local root and then "su"ing to be them is
politeness, but I've certainly notified such people that they should use
passphrases and preferably keep their keys on their machine, not my servers.

>>> cp (all those files) /home/you/.ssh
>>>
>>> touch /home/you/.ssh/authorized_keys
>>
>> What is the point of this?
>
> Are you stupid? I'm showing someone step by step something. I just come to
> this group, try to help someone with a detailed explaination instead of
> just
> saying rtfm, and I get blasted by you? Who the f* do you think you are? In
> either case, don't expect anymore replies from me, troller. This is all
> the
> rise out me your getting, consider yourself lucky I answered this.

He was polite, and factually correct. You're not being polite, you are
clearly incorrect in a number of your factual claims, and your advice is in
fact dangerous in security terms. If you don't understand why he is
countering your claims, then perhaps you shouldn't be giving technical
support or advice to anyone at least until you are more familiar with the
subject matter.

Relevant Pages

  • Re: Common shared home directory
    ... These two userids need to both use ssh for communication. ... UID would be set to the appropriate account. ... Are you willing to use different keys for each account? ...
    (comp.security.ssh)
  • Re: Opening ports in my firewall
    ... >> only with DSA keys, and not allowing manual password logins. ... - copy the .ssh directory to the new machine, if you control it, or ... Walter Dnes; my email address is *ALMOST* like wzaltdnes@waltdnes.org ...
    (comp.os.linux.security)
  • RE: sshd / ssh setup
    ... USA server and his windows/xp notebook to use SSH. ... followed sshd instruction and built ... and require users to submit keys. ...
    (freebsd-questions)
  • Re: SSH via Expect disconnects
    ... using autoexpect was the answer (please refer to thread ... >> I have received one suggestion that I explore the idea of using keys ... >> have poured through the manpage for Expect as well as SSH, ... >>> I am using an expect script to initiate an SSH session to another host ...
    (comp.lang.tcl)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... Man ssh ... ... Why is that, Peter? ... The firewall does help protect ... against someone stealing the keys and using them at another location. ...
    (comp.os.linux.misc)