> You will need to set passwords up for your users, anyway. A passwordless > account is a big security hole. Your users will have to generate a keypair > on their home (Windows) machine, then put the public key in a special place > in their home directory on your (Linux) machine. You should read the man > pages for ssh-keygen, ssh-agent, and ssh-add (for SSH.com's version).
Hmm... I disagree. I'd think a passwordless account (i.e. `grep usernane /etc/shadow | cut -f 2 -d ':'` == "*NP*" or something similar) would be better for security. The only way you could log in is with SSH RSA authentication. There'd be no way for someone to sniff or brute-force the password. (Note: this assumes you encrypt your private key on the client machine, i.e. have a passphrase -- otherwise there is a security risk of debatable magnitude.) The Win32 version of SSH.com's SSH2 (as well as SecureCRT) works great with both SSH and OpenSSH if you're doing password authentication. Since OpenSSH and SSH2 use different formats for their .ssh[2]/authorized_keys[2] files, I've not been able to get a public key generated with Win32 SSH2 properly installed under OpenSSH (I haven't tried that hard). If you're using all SSH2, the Win32 client will generate a keypair, and install it in the appropriate location on the remote server (assuming you can authenticate some other way). No need to fuss about editing all those .ssh files (not that it's that hard...) -- t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy coordinated science laboratory <> university of illinois cryptography and information protection
