Use of non-user readable (null password) private keys

Pete Chown Pete.Chown at skygate.co.uk
Wed Mar 28 21:09:32 EST 2001


Piete Brooks wrote:

> Executive summary: Why can I not have a private key which is
> `public' ?

Every time I use OpenSSH I seem to get caught out by the permission
checks.  I use umask 002 and my private files are all in a private
group.  This way I don't accidentally deny others access when I work
on shared material.  But OpenSSH doesn't like mode 775...

> We use a client/server model with no `user' accounts on servers.
> There are certain operations which a user may require to run with
> certain privs, and we use ssh to do this.

You could use the agent.  I've just tried and it doesn't look as
though ssh checks permissions on the socket directory.  This would
also have the nice feature that users couldn't copy the key.  You
would therefore be able to revoke access from one user without
revoking the key for the whole group.

-- 
Pete



More information about the openssh-unix-dev mailing list