Date: Fri, 25 Sep 1998 21:01:29 +0100 From: Brian Somers <brian@Awfulhak.org> To: dag-erli@ifi.uio.no (Dag-Erling C. Sm rgrav ) Cc: Brian Somers <brian@Awfulhak.org>, Mark Murray <mark@grondar.za>, Nik Clayton <nik@nothing-going-on.demon.co.uk>, committers@FreeBSD.ORG Subject: Re: Security and other facilities at WC CDROM - the plan. Message-ID: <199809252001.VAA03478@woof.lan.awfulhak.org> In-Reply-To: Your message of "25 Sep 1998 11:52:58 %2B0200." <xzpaf3objt1.fsf@hrotti.ifi.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> Brian Somers <brian@Awfulhak.org> writes:
> > If you do stuff from libalias'd machines, you must make your host key
> > on all machines behind the alias'er the same as the alias'ers and add
> > whatever *.freebsd.org sees as being the connecting machine to your
> > .shosts file.
>
> Don't use .shosts, use key authentication. Although your key includes
> a host name, ssh doesn't actually care if it's the one you're calling
> from or not, so you can generate a key on one machine and carry it
> around to others. Very useful if your home directory is shared between
> several machines.
?
I'm not sure what you mean. Using .shosts is impossible without key
authentication isn't it ? It would be the same as .rhosts otherwise.
Having a host in your known_hosts and .shosts file just allows
automatic key authentication (no password required). Making the same
connection from an IP that's not in known_hosts and .shosts is still
ok, but requires your pass phrase or password at login time.
Am I missing something ?
Hmmm, maybe I am. Thinking about it, it would make sense if .shosts
specified what machine/ip you can use known_hosts with, and
known_hosts specifies what that host key should be. If this is the
case, then a separate key can be used even for hosts behind an
aliased gateway, as long as the gateway is in the .shosts file and
the connecting machine is in known_hosts.
Hmm, I'll do a bit of mucking around at some point and figure this
out ;-) Thanks for the food for thought.
> DES
> --
> Dag-Erling Smørgrav - dag-erli@ifi.uio.no
>
--
Brian <brian@Awfulhak.org>, <brian@FreeBSD.org>, <brian@OpenBSD.org>
<http://www.Awfulhak.org>;
Don't _EVER_ lose your sense of humour....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809252001.VAA03478>