Feature disappeared?
Gert Doering
gert at greenie.muc.de
Mon Oct 30 22:35:13 EST 2000
Hi,
On Mon, Oct 30, 2000 at 01:15:01PM +0200, Pekka Savola wrote:
> > working on tightening our network (somewhat) today, I found that OpenSSH
> > doesn't seem to have the "AllowSHosts" directive (in sshd_config) that
> > Commercial SSH (at least 1.2.25 & up) has.
[..]
> > Or is this train of thought flawed somewhere? (As usually, I have to
> > balance user convenience vs. security - if security is to inconvenient,
> > people won't use it).
>
> 'IgnoreRhosts yes' will ignore .shosts files too.
Umm, yes, but that's something else. AllowSHosts permits .shosts files on
a per-host basis, so I can say "for *.mydomain.de, .shosts is ok, for
everybody else, it's not ok".
IgnoreRhosts does this on a for-all-clients basis.
> However, people can log in without password otherwise too, if they're
> using RSAAuthentication. It'll ask for a passphrase, but the user can
> also make it empty.
Yes, but it's a bit harder to mess up :-)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany gert at greenie.muc.de
fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
More information about the openssh-unix-dev
mailing list