[clue-admin] User setup for "member" accounts
Collins Richey
crichey at gmail.com
Sun Jan 2 14:29:56 MST 2005
A summary of what I've found thus far:
1. We've already determined that we want public key authentication.
2. sftp requires "some kind of a shell" (/bin/false and/or
/sbin/nologin) won't cut it.
3. The "almost a shell" /usr/libexec/openssh/sftp-server will prevent
the user from getting into anything other than sftp commands. This
would be an acceptable solution, if we don't mind users being able to
browse directories other than their own. Do you other admins consider
this an "acceptable risk"?
4. Much of the googling I've done recommends using the scponly shell
(< version 4.0 has security problems) and/or its chroot jail. Do we
want to pursue this path? If someone wants to install the software,
I'll be happy to check it out. The question is, do we need this, or is
the solution in 2. adequate?
Your opinions, please.
On a related topic. My understanding of ssh and key authentication is
too limited at this point. Currently I'm just using standard password
authentication when I ssh to the CLUE server, but I would like to
switch to public key authentication. The one wrinkle is, I have a
multi-boot system - one system is gentoo the other is slack. When I
generate a private/public key pair, can I simply copy my private key
to ~/.ssh/authorized keys on both my systems so that I can login using
the public key I've copied to my CLUE server account?
--
Collins
More information about the clue-admin
mailing list