On Thursday, 01/22/2009 at 11:06 EST, John Summerfield <deb...@herakles.homelinux.org> wrote:
> Auditors like to think they know who did things. If I connect to your > system using ssh, how do you know it's me? All you know is that someone > connected using a public key you've approved. Because you (should) have 'PubKeyAuthentication YES' on each server you will access. That will cause a signature to be generated using your matching private key, which is only on your home system(s). That, in turn, requires you to enter the password you used during ssh-keygen. To avoid having to enter your private-key-encrypting password each time you ssh to a host, you use ssh-agent (maybe with something like keychain) so that you only enter your password once per local login session. You can also cause in-memory keys are purged after 'n' minutes. Hint: Don't use the same password for each keygen and don't use the same password as your login password, though the latter isn't too much of a problem since you change your own password at defined intervals. If you don't authenticate a user's public key, then its value is significantly reduced. As the file containing the public keys is not encrypted, you have no idea who might be in possession of it. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390