>>> On Tue, Jul 24, 2007 at 2:46 PM, in message <[EMAIL PROTECTED]>, Larry Ploetz <[EMAIL PROTECTED]> wrote: > Mark Post wrote: >>>>> On Fri, Jul 20, 2007 at 5:54 PM, in message <[EMAIL PROTECTED]>, >>>>> >> Larry Ploetz <[EMAIL PROTECTED]> wrote: >> -snip- >> >>> in your sshd_config file, to keep them all in one place. Then you could >>> allow/prevent users from updating their own authorized_keys. Or even put >>> all authorized keys for all users in one file (replace the "%u" with a >>> static file name). >>> >> >> I would think that this last suggestion would allow any user to log in as > any other user. Probably not a good idea. >> > > Only if they had the corresponding key half, which was the point IIRC. I
But, they _would_ have the private key half of their pair, and if they did "ssh -l somebodyelse ipaddr" then SSH would locate the corresponding public key, do the handshake, and say "yep, you're them!" and let you in. Only if you broke the keys for each user out into a separate file would things work they way you state (because SSH wouldn't be able to find the public key in the other user's file), but then you wouldn't have them all in one place. > was confused, by the way, why anyone would want to put an entry in every > users authorize_keys file to allow anyone with the other half (stated as > `root', but if anyone got a copy, then anyone) to log in as them -- why If someone gets hold of the root user's private key (and passphrase), it doesn't matter what you do on the server. That person can do whatever root can do. > not just su/"sudo -u" to the target userid? Why add additional potential Personally, I wouldn't do it. But if you did it, it would probably be for the reason that scripting a lot of things just works easier/more clearly if you sign in as the user directly. Mark Post ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
