Feature disappeared?
Pekka Savola
pekkas at netcore.fi
Mon Oct 30 22:15:01 EST 2000
On Mon, 30 Oct 2000, Gert Doering wrote:
> working on tightening our network (somewhat) today, I found that OpenSSH
> doesn't seem to have the "AllowSHosts" directive (in sshd_config) that
> Commercial SSH (at least 1.2.25 & up) has.
>
> Now I wonder whether that hasn't been implemented yet, or has been dropped
> for a certain reason.
>
> I find this very useful for what I want to achieve - inside the company
> network, .shosts is honoured, from outside the company, it isn't. No
> matter what people put in their .shosts, they can't login from home
> without a password (and S/Key in future), thus a break-in into their home
> machine won't immediately break the office network as well...
>
> Or is this train of thought flawed somewhere? (As usually, I have to
> balance user convenience vs. security - if security is to inconvenient,
> people won't use it).
'IgnoreRhosts yes' will ignore .shosts files too.
However, people can log in without password otherwise too, if they're
using RSAAuthentication. It'll ask for a passphrase, but the user can
also make it empty.
--
Pekka Savola "Tell me of difficulties surmounted,
Pekka.Savola at netcore.fi not those you stumble over and fall"
More information about the openssh-unix-dev
mailing list