Date: Mon, 10 Sep 2001 23:21:17 +0100 From: Alex Holst <a@area51.dk> To: Freebsd-security@FreeBSD.ORG Subject: Re: allow selective RSA AUTH in sshd setup? Message-ID: <20010910232117.A82808@area51.dk> In-Reply-To: <Pine.BSF.4.10.10109101515250.52847-100000@federation.addy.com>; from jim@federation.addy.com on Mon, Sep 10, 2001 at 04:24:45PM -0400 References: <20010910180239.B59628@area51.dk> <Pine.BSF.4.10.10109101515250.52847-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Jim Sander (jim@federation.addy.com): > The reason I don't allow RSAAuthentication is that I envision this near > certainty: a user will know enough to set up authentication from his > personal machine, but won't adequately guard the private key file from the > hypothetical latest Outlook flaw allowing his key to be sent to a script > kiddie and then used to change his church's web site on my server into a > porn warehouse. Using RSA keys gives you two factors of protection. Using passwords gives you one factor. > I can handle explaining "don't give your password away" and even > "choose something better than Jesus1" - but explaining that he needs to > periodically monitor a non-human-readable file in a "hidden" folder on the > server is beyond my ability, let alone my desire. Allow me to introduce you to the concept of a 'security policy.' -- those who fail to understand and follow it will be escorted out of the building. If management support for this approach does not come through then whatever you are trying to protect can't be all that important. -- I prefer the dark of the night, after midnight and before four-thirty, when it's more bare, more hollow. http://a.area51.dk/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010910232117.A82808>