| gabriel rosenkoetter on Mon, 1 Jul 2002 22:00:12 +0200 |
|
On Mon, Jul 01, 2002 at 03:24:56PM -0400, Fred K Ollinger wrote: > I know how to make keys for ssh, however, how to make a _different_ key > for each user interests me, and I thought it would be of interest to > others on the list as well as informative. > > Any hints on this? Same way you made the first one. Give that user the key pair, put the public key in root's .ssh/authorized_keys (if you're using OpenSSH) or in a file under root's .ssh2 and list it in root's .ssh2/authorization file on the servers where that person needs root access (if you're using FSecure's SSH-2 implementation). Fwiw, this is how all access to user accounts is maintained within the NetBSD world (and especially at Wasabi Systems). Most users have no password set at all on those systems; only those who would ever have reason to log into the console do. > It seems highly cool to give someone a root floppy w/ a key that can be > revoked or expired. Well, there's no concept of expiration on SSH-2 keys (not the only failing; they also lack any way to sign one public key with a another private key, which would be hugely useful when bringing up a new machine that users will only ever have remote access to, as there would be a guaranteed way for the users to trust the new host key, since it was signed by the old one), and revocation consists merely of removing the public key from the authorization file (as appropriate for your SSH-2 implementation). -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpaQQSnGSibn.pgp
|
|