From owner-cvs-all Fri Sep 25 17:11:35 1998 Return-Path: Received: (from daemon@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA14166 for cvs-all-outgoing; Fri, 25 Sep 1998 17:11:35 -0700 (PDT) (envelope-from owner-cvs-all) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA14129 for ; Fri, 25 Sep 1998 17:11:28 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id CAA21425; Sat, 26 Sep 1998 02:11:19 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Sat, 26 Sep 1998 02:11:18 +0200 (MET DST) Mime-Version: 1.0 To: Brian Somers Cc: committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. References: <199809252001.VAA03478@woof.lan.awfulhak.org> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 26 Sep 1998 02:11:17 +0200 In-Reply-To: Brian Somers's message of "Fri, 25 Sep 1998 21:01:29 +0100" Message-ID: Lines: 61 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAB14154 Sender: owner-cvs-all@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk [cc:s trimmed] Brian Somers writes: > > Brian Somers writes: > > > If you do stuff from libalias'd machines, you must make your host key > > > on all machines behind the alias'er the same as the alias'ers and add > > > whatever *.freebsd.org sees as being the connecting machine to your > > > .shosts file. > > Don't use .shosts, use key authentication. Although your key includes > > a host name, ssh doesn't actually care if it's the one you're calling > > from or not, so you can generate a key on one machine and carry it > > around to others. Very useful if your home directory is shared between > > several machines. > I'm not sure what you mean. Using .shosts is impossible without key > authentication isn't it ? It would be the same as .rhosts otherwise. No, .shosts is the same as .rhosts except that it's only honored by ssh. From the sshd(8) man page: $HOME/.ssh/authorized_keys Lists the RSA keys that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world- readable if the user's home directory resides on an NFS volume). It is recommended that it not be accessible by others. The format of this file is described above. [...] $HOME/.rhosts This file contains host-username pairs, separated by a space, one per line. The given user on the corresponding host is permitted to log in without password. The same file is used by rlogind and rshd. Ssh differs from rlogind and rshd in that it requires RSA host authentication in addition to validating the host name retrieved from domain name servers (unless compiled with the --with-rhosts configuration option). The file must be writable only by the user; it is recommended that it not be accessible by others. [...] $HOME/.shosts For ssh, this file is exactly the same as for .rhosts. However, this file is not used by rlogin and rshd, so using this permits access using ssh only. Having a host/user pair listed in .[rs]hosts will allow that user to log in from that host without a password provided the host key matches the key in known_hosts. Having a public key listed in authorized_keys will allow any user from any host to log in without a password provided he has the matching private key. Or, on the other hand, I may have totally misunderstood everything. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no