Utility to scan for unpassworded SSH privkeys?

Nico Kadel-Garcia nkadel at gmail.com
Tue May 28 14:00:00 EST 2013


On Mon, May 27, 2013 at 10:10 PM, Phil Pennock <phil.pennock at globnix.org> wrote:
> On 2013-05-24 at 23:32 -0400, Nico Kadel-Garcia wrote:
>> Sorry, got cut off. I did not mean to snark at you, but to explain
>> it's far more awkward in practice.  In this case, there seems not to
>> be a good way with Kerberos to do a "forced command" to tie specific
>> user authentication for subversion or git, to tie user specific
>> authentication to a specific .klogin listed account. The result for
>> Subversion is that all changes would be logged as coming from the
>> common "svn" user. For git it gets a bit weirder due to "merge'
>> operations and "pull requests" run on the server. But pull requests on
>> the server will all be owned by the common "git" user with .klogin,
>> and change  tracking winds up in la-la land as it would for
>> Subversion.
>
> I use Kerberised Subversion and have done since 2006.  The identifier
> that appears in "svn log" etc is my kerberos identity, with realm
> intact.
>
> I don't use the SSH transport to do so; https with Apache, the normal
> Subversion modules and mod_auth_kerb, pointing Krb5Keytab at a keytab
> with credentials for Apache; be sure to enable KrbMethodNegotiate.

Oh. That is a very, very different technology, and quite distinct from
the svn+ssh usage.

> I prefer git these days, but do miss the Kerberised access.  If I were
> going to invest time in setting it up, I'd add OpenSSH on a non-standard
> port, configure a ForceCommand in the system-wide sshd_config for that
> sshd and then enable Kerberos an auth mechanism for that.  Add a

I'd be really fascinated to see this work. It's not clear to me that
this actually forces people to use Kerberos tickets rather than
handling a locally stored palintext password in Subversion's
UNIX/Linux clients as currently occurs by default.


More information about the openssh-unix-dev mailing list