Date: 26 Sep 1998 02:11:17 +0200 From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) To: Brian Somers <brian@Awfulhak.org> Cc: committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. Message-ID: <xzp90j7hgwq.fsf@hrotti.ifi.uio.no> In-Reply-To: Brian Somers's message of "Fri, 25 Sep 1998 21:01:29 %2B0100" References: <199809252001.VAA03478@woof.lan.awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[cc:s trimmed]
Brian Somers <brian@Awfulhak.org> writes:
> > Brian Somers <brian@Awfulhak.org> writes:
> > > If you do stuff from libalias'd machines, you must make your host key
> > > on all machines behind the alias'er the same as the alias'ers and add
> > > whatever *.freebsd.org sees as being the connecting machine to your
> > > .shosts file.
> > Don't use .shosts, use key authentication. Although your key includes
> > a host name, ssh doesn't actually care if it's the one you're calling
> > from or not, so you can generate a key on one machine and carry it
> > around to others. Very useful if your home directory is shared between
> > several machines.
> I'm not sure what you mean. Using .shosts is impossible without key
> authentication isn't it ? It would be the same as .rhosts otherwise.
No, .shosts is the same as .rhosts except that it's only honored by
ssh. From the sshd(8) man page:
$HOME/.ssh/authorized_keys
Lists the RSA keys that can be used to log into the
user's account. This file must be readable by root
(which may on some machines imply it being world-
readable if the user's home directory resides on an
NFS volume). It is recommended that it not be
accessible by others. The format of this file is
described above.
[...]
$HOME/.rhosts
This file contains host-username pairs, separated
by a space, one per line. The given user on the
corresponding host is permitted to log in without
password. The same file is used by rlogind and
rshd. Ssh differs from rlogind and rshd in that it
requires RSA host authentication in addition to
validating the host name retrieved from domain name
servers (unless compiled with the --with-rhosts
configuration option). The file must be writable
only by the user; it is recommended that it not be
accessible by others.
[...]
$HOME/.shosts
For ssh, this file is exactly the same as for
.rhosts. However, this file is not used by rlogin
and rshd, so using this permits access using ssh
only.
Having a host/user pair listed in .[rs]hosts will allow that user to
log in from that host without a password provided the host key matches
the key in known_hosts. Having a public key listed in authorized_keys
will allow any user from any host to log in without a password
provided he has the matching private key.
Or, on the other hand, I may have totally misunderstood everything.
DES
--
Dag-Erling Smørgrav - dag-erli@ifi.uio.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp90j7hgwq.fsf>