User-Dependent Identity File
Frank Cusack
fcusack at fcusack.com
Fri Jan 18 03:45:18 EST 2002
On Tue, Jan 15, 2002 at 06:35:51PM -0000, John Bowman wrote:
> > > > > make /ssh a local (non-NFS) file system and use a syntax like this in the
> > > > > system wide ssh_config file:
> > > > >
> > > > > IdentityFile /ssh/%u/id_rsa
> > > >
> > > > That's unlikely.
> > > >
> > > Oh? It is a serious security hole on many systems running openssh, so I'm
> >
> > really? even if it's on unprotected NFS, id_rsa is still encrypted.
> I presume you mean using non-blank passphrases. Many people trust the
> integrity of their local file systems and use blank pass phrases, rather
> than using ssh-agent, etc. (a good example of where this is absolutely
> necessary is for tunnelling lpd through ssh, see
> http://www.math.ualberta.ca/imaging/snfs/lpd). But this means that id_rsa
> can't be stored on an NFS mounted partition.
Why does the lpd tunnelling desribed there require a blank passphrase?
Why does storing the key on a local file system require %u?
/fc
More information about the openssh-unix-dev
mailing list