Brad Fritz wrote:
<snip>Greg,On Mon, 13 Jan 2003 17:45:09 MST Greg Morgan wrote:I have used "Public key authentication before" as described by http://the.earth.li/~sgtatham/putty/0.53b/htmldoc/Chapter8.html#8. The user's passwords were never enabled on the host.
hhhummm I guess that was not written well. Yep first user configures the public key in $HOME/.ssh/authorized_keys on the server they will connect to(i.e. public key...supplied by each user desiring access...). ssh/OpenSSH asks the user to prove themselves with their private key stored on the client computer.A public key part of public/private key had to be supplied by each user desiring access to the host.
You mean private key, right? The user signs a challenge with her private key and the host authentications it using her public key (stored in $HOME/.ssh/authorized_keys for OpenSSH).
<snip>
If by "remote" you mean "ssh", you can do that with OpenSSH and the "PermitRootLogin" option (man sshd_config for details). You can also control whether password authentication is allowed with the "PasswordAuthentication" option.
<snip>
I think the most popular approach is to disable root access in ssh and any other remote access programs you run (telnet, ftp, vnc, etc). If you really want to disable root console access via passwords, you probably can via PAM on a full *nix distro or *possibly* by setting the root password to an asterisk. The /etc/shadow approach seems pretty drastic to me for most situations. In many installs console access equates to physical access and at that point there's not much you can do to stop a determined attacker. You might also be able to affect root logins via grsecurity (or other) ACL systems too, but I haven't done enough research to know for sure. Anyhow, that's my two cents. --Brad
Brad,
Thanks for your answer. It was a very valuable two cents. :-) With your patience you pieced together what I was struggling to find. PermitRootLogin was what I was searching for. I was stuck on /etc/securetty and how it is related to SSH/OpenSSH.
Again, thanks for the "helping hand up."
Greg Morgan
-------------------------------------------------------
This SF.NET email is sponsored by: FREE SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
