missing corner case in authorized_keys?

Jonathan Walther krooger at debian.org
Sun Apr 7 22:03:57 EST 2002


I've written up a little HOWTO on how I set up my CVS server to allow
anonymous access via ssh.  I did it a little bit differently than the
method documented by Theo and crew.  Where their login shell has a lot
of stuff in it, mine is a simple execle() statement.  Url is here:
    http://reactor-core.org/#code

After following the steps outlined in the HOWTO, I came across the
following problem.  How can I disable things like port forwarding, X
forwarding, agent forwarding, and so on to people who are connecting to
this passwordless account?

The .ssh/authorized_keys file seems to provide the perfect solution,
except that users are not logging in with public keys; they are being
logged in without any key or password.  And this is as it needs to be.

I thought of one solution, but am not sure if it is correct:  What if
"*" was understood to mean "any key not otherwise specified in this
file" in the authorized_keys file?  Then I could turn all the options on
and off to my hearts content.  My only hesitation is that since the user
is logging in via password mechanism, no public key is involved, so
authorized_keys probably wouldn't even come into the picture.

I'm not married to the above idea; but I would like some mechanism to
enable and disable sshd features on a per user basis, so that I can use
ssh to provide encryption for otherwise cleartext public services,
without compromising my box, or locking down users that I do trust.

Also, in authorized_keys I can limit the -L port forwarding; how about a
keyword for controlling -R port forwarding as well?  I don't want Joe
Random CVS user opening up a port to listen on my box.

Cheers!

Jonathan

-- 
                     Geek House Productions, Ltd.

  Providing Unix & Internet Contracting and Consulting,
  QA Testing, Technical Documentation, Systems Design & Implementation,
  General Programming, E-commerce, Web & Mail Services since 1998

Phone:   604-435-1205
Email:   djw at reactor-core.org
Webpage: http://reactor-core.org
Address: 2459 E 41st Ave, Vancouver, BC  V5R2W2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 350 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020407/c4249958/attachment.bin 


More information about the openssh-unix-dev mailing list