|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
>The hooks are probably still there, though, and it couldn't be
>particularly difficult to hack this in.
If you're a programmer, perhaps not. Not everyone is, you know. :-) Too many
Linux users forget that point.
>I think you're completely missing the point of public/private key
>authentication, though. The principal is to never send
>authentication tokens over the wire by typing them which, even in an
>encrypted stream, is less than safe. (Note that setting
No, I'm not missing the point. I just want it to do things it's (apparently)
not designed to do. I don't want just anybody with a SSH-enabled telnet
client to be able to type in my IP address, and immediately get a system
login prompt. That's only 1 layer of security. Suppose there is a (at the
moment undiscovered) security hole in SSH. Now anybody can start attacking
that hole, and (perhaps) break thru into my production server. Or suppose
somebody manages to hijack my key, and use it to SSH over to my host. Now
this person is in, without ever having to bother cracking my host password
(yes, I know it's a bit far-fetched).
Ideally, I want SSH to only respond if there is a public key installed on
the host ahead of time. And even then, I want it to ask for a valid host ID
and password.
Yes, I realize the first part is more of an authorization/authentication
mechanism better suited to a VPN, to allow access into the LAN at all. Yes,
I realize I could have 2 SSH hosts - one that will work with the public
keys, and - once you've authenticated to host #1- then SSH over to the other
host, where you'll be asked for it's ID and password. (That's how I acess my
home system - I SSH into my web server, and from there, SSH over to my main
system)
Was just trying to figure out if I could do both ways - public key
passphrase and ID/password - to 1 host at the same time. But it looks like
it's not to be.
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|