OpenSSH daemon security bug?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 6 04:32:53 EST 2010
On 01/05/2010 12:13 PM, Davi Diaz wrote:
> OK, If all users agree about following the security policy I would be in
> favour to allow ssh-key access, blocking the password one by being less
> secure.
Recent versions of OpenSSH allow you to set your decisions about who
gets key-based (or password-based) access on a more fine-grained level.
For more info, see the Match keyword in sshd_config(8).
> If users does not agree, I would be even against adding ssh-key access to the
> current password based access because ssh-key without a good key policy
> management is less secure even if the public key has to be included in
> the 'authorized_keys' file on the server.
If your users are unwilling or unable to follow your security policy,
then you have problems that cannot be technologically resolved,
unfortunately :(
User education is tough, but there is no magically secure (and
still-useful) tool without it.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20100105/ac29c0ad/attachment.bin>
More information about the openssh-unix-dev
mailing list