Greg, On Mon, 13 Jan 2003 17:45:09 MST Greg Morgan wrote:
> I have used "Public key authentication before" as described by > http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8. The > user's passwords were never enabled on the host. Out of curiosity, do you mean the password hashes were not even set in /etc/shadow, or just that you were not allowing ssh password authorization? I suspected the former until I read the link which is ssh specific. (Either technique should work, depending on your goals.) > A public key part of > public/private key had to be supplied by each user desiring access to > the host. You mean private key, right? The user signs a challenge with her private key and the host authentications it using her public key (stored in $HOME/.ssh/authorized_keys for OpenSSH). > What bothers me is that root has to have a password. All the > other users are using public key authentication, but poor old root is > just hanging out in the breeze. I could not find a way to turn on > public key authentication for root. If you mean not have a password at all for root, that would make it tricky to enter runlevel 1 for maintenance or to fix network problems from the console (unless you reboot and and override the init process via the bootloader which would be a pain). > I played with /etc/securetty. I > wanted to disable remote access by root but allow another user to use > public key to access the server, then su to root. If by "remote" you mean "ssh", you can do that with OpenSSH and the "PermitRootLogin" option (man sshd_config for details). You can also control whether password authentication is allowed with the "PasswordAuthentication" option. > One problem arises if > I disable root's password, then the console of the server is useless. > At times a person still has to logon at the server as root, but public > key authentication is not available there. My google searches produced > RFCs, etc., but nothing meaningful. > > Has anyone tried this? > Is there too much paranoia here? Should I just be happy that the whole > session for root is encrypted? > Or someone has done this, but I am approaching it in the wrong manor? I think the most popular approach is to disable root access in ssh and any other remote access programs you run (telnet, ftp, vnc, etc). If you really want to disable root console access via passwords, you probably can via PAM on a full *nix distro or *possibly* by setting the root password to an asterisk. The /etc/shadow approach seems pretty drastic to me for most situations. In many installs console access equates to physical access and at that point there's not much you can do to stop a determined attacker. You might also be able to affect root logins via grsecurity (or other) ACL systems too, but I haven't done enough research to know for sure. Anyhow, that's my two cents. --Brad > Any thoughts or pointers would be appreciated. > > Greg Morgan ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html