[clue-admin] User setup for "member" accounts

Jed S. Baer thag at frii.com
Sun Jan 2 15:09:07 MST 2005 

On Sun, 2 Jan 2005 14:29:56 -0700
Collins Richey wrote:

> A summary of what I've found thus far:
> 
> 1. We've already determined that we want public key authentication.

Yeah, but I wonder if there's any way to enforce that. It's sort of a
catch-22, because members will need to use password authentication to
transfer their public ssh key to the CLUE server to start with.

[ snipping what I don't know what to say about ]

> 4. Much of the googling I've done recommends using the scponly shell
> (< version 4.0 has security problems) and/or its chroot jail. Do we
> want to pursue this path? If someone wants to install the software,
> I'll be happy to check it out. The question is, do we need this, or is
> the solution in 2. adequate?

If it's available as an RPM, you can install it easily enough yourself.
Try 'yum list scponly'. BTW, I'm against installing from source, as it
makes admining the box more difficult -- but that's a whole 'nother topic.
If it comes down to that, I'll generate an RPM file.

> On a related topic. My understanding of ssh and key authentication is
> too limited at this point. Currently I'm just using standard password
> authentication when I ssh to the CLUE server, but I would like to
> switch to public key authentication. The one wrinkle is, I have a
> multi-boot system - one system is gentoo the other is slack. When I
> generate a private/public key pair, can I simply copy my private key
> to ~/.ssh/authorized keys on both my systems so that I can login using
> the public key I've copied to my CLUE server account?

The authorized_keys[2] file goes on the destination server. As long as
your /home/username/.ssh directory, under both boots has the .ssh
directory with the id_rsa or id_dsa file, I think you'l be ok, unless
there's some system-id stuff encoded into the private key. But I don't
think that's the case. (Maybe nodename?)

jed
-- 
http://s88369986.onlinehome.us/freedomsight/
Key fingerprint = B027 FEFB 4281 CC72 67D1  4237 F2D0 D356 077A A30E
... it is poor civic hygiene to install technologies that could someday
facilitate a police state. -- Bruce Schneier

More information about the clue-admin mailing list