David, ----snip---- > > I would like to set up a linux based shell server for my "windows > > friends" who would like to learn more about the linux/unix os and to > > learn some shell scripting etc. I have 3+ years of linux
----snip---- > You will need to set passwords up for your users, anyway. A passwordless > account is a big security hole. Your users will have to generate a keypair ----snip---- Actually that may not be quite correct, depending on what you mean by "passowordless"... If you mean passwordless as in no known password for the recorded hash in the passwd/shadow file then Kevin's passwordless setup is quite secure provided there are no local exploits etc etc. If you mean passwordless as in any password or no password, then yes, that could prove to be a problem. I think what Kevin was trying to say was that he wanted to set up a *NIX boxen that forced key based authentication only. In that case we should point out to Kevin that the remote user will not be able to upload their public key (since there is no other way to authenticate and upload files) a trusted third party must therefore insert the users public key in the appropriate place before the user can actually authenticate and thus log on.... this may prove to be an administration issue, user generates key.... does not know what is going on, perhaps emails public key to administrator, administrator inserts key, remote user still does not know what is going on.... can't authenticate because they forgot the password to unlock their public key or they re-generated a new one and deleted the old one.... it gets messy fast for users that don't understand public key auth. Having delt with similar situations before I suggest providing your users with documentation about public key authentication its merits and why it works before you tell them this is the way they will have to play.... BTW : If your guys are using the Windows SSH2 client from ssh.com, you will have much less pain if you also use the sshd from ssh.com (check the licence but as I remember it sshd is free for OS's like FreeBSD, Linux etc..) not the openssh sshd. It turns out the two sshd's use different key formats which will likely drive you mad. I recall hearing of a key conversion utility?? true?? anyone?? Nick
