Jim McQuillan <[EMAIL PROTECTED]> said: > Since NFS isn't encrypted, anybody snooping on the wire > can get your SSH key, and your "secure" X Login isn't so > secure anymore.
Maybe I'm misunderstanding the problem. The public key is no problem since it's not a secret. Your private key is protected by a passphrase and never stored on the filesystem unencrypted. So as long as the local client isn't compromised (i.e. keystroke logging), and you have a reasonble passphrase, storing the keys via NFS isn't a bad idea. Certainly alot better then running a remote GDM. The tricky part is running a local graphical login to a remote server, afaik none of the gdm/kdm or similar support typing in a username and password then doing the ssh-authentication. Another possibility is kerberos, which does allow a secure graphical login. This provides the added bonus of other services can use the same authentication, like imapd servers for instance. Although kerberos does have a problem with NFS, and is usually paired with AFS for that reason. > SO, if you want to do it securely, either with SSH > or with IPSec, you need someplace on the workstation > to store those keys. Ideally yes, but reading a remote 1024bit or similar key and decrypting it with a good passphrase is fairly secure (as long as the keystrokes your typing for the passphrase are processed locally), certainly likely to be secure enough so that the easiest attack is elsewhere. > maybe a floppy or a hard disk. > I don't like either of those ideas, because i'm trying > to remove the moving parts, not require them. > So, you could do it with flash, but that's an added > expense. > > I like the little USB Disk-on-key thingies. That could > hold the keys. Actually USB disk on a key thingies aren't that secure, better than nothing, unfortunately they are easily copied. There are more secure ways to store a key. The most physically secure is the ibutton: http://www.ibutton.com/ibuttons/java.html Openssh seems to have prelim support for similar: (from the openssh readme) >How to use smartcards with OpenSSH? > >OpenSSH contains experimental support for authentication using >Cyberflex smartcards and TODOS card readers. > >WARNING: Smartcard support is still in development. Keyfile formats, etc >are still subject to change. -- Bill Broadley Mathematics/Institute of Theoretical Dynamics UC Davis _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net