Date: Mon, 12 Apr 1999 10:47:29 -0500 From: David McNett <nugget@slacker.com> To: freebsd-security@freebsd.org Subject: Re: ssh and scp Message-ID: <19990412104729.A62365@dazed.slacker.com> In-Reply-To: <Pine.BSF.3.96.990409100127.23278B-100000@zerlargal.humbug.org.au>; from Bruce Campbell on Fri, Apr 09, 1999 at 10:26:24AM %2B1000 References: <199904080936.TAA11475@atdot.dotat.org> <Pine.BSF.3.96.990409100127.23278B-100000@zerlargal.humbug.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On 09-Apr-1999, Bruce Campbell wrote: > Works for me, although I'll admit to being a bit shy of null-password RSA > keys, which can be alleviated somewhat by restricting which hosts can use > which keys. Actually the level of restriction can be much more granular than simply permitting and denying on a host-by-host basis. The sshd manpage has considerable detail on this under the subheading AUTHORIZED_KEYS FILE FORMAT. In addition to specifying valid remote hosts on a key basis, one can also restricte a keypair to a single command with the "command=" directive. In this way you can prohibit the null-passphrase RSA key to a single task and not worry about an open shell if the keypair is compromised. While any null-passphrase situation is by definition an open door, you can at least limit the scope of the activity that compromise permits. from="trust.slacker.com" no-pty no-agent-forwarding no-X11-forwarding no-port-forwarding command="/home/luser/bin/only_this_command" 1024 35 1385747740706965662979092265453243173821775069593500592656102528164588 1458968562818828612328348480183921191882598263470247545000152074356254 7885213846674971276953111134546999143676911041828605560207201262339416 9160927998516632223127781986085086932733750776793503721007278947326141 39818692207780079452547982359 null passphrase key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990412104729.A62365>