Jim McQuillan <[EMAIL PROTECTED]> said:
> Since NFS isn't encrypted, anybody snooping on the wire
> can get your SSH key, and your "secure" X Login isn't so
> secure anymore.
Maybe I'm misunderstanding the problem.
The public key is no problem since it's not a secret. Your private
key is protected by a passphrase and never stored on the filesystem
unencrypted. So as long as the local client isn't compromised (i.e.
keystroke logging), and you have a reasonble passphrase, storing the
keys via NFS isn't a bad idea. Certainly alot better then running a
remote GDM.
The tricky part is running a local graphical login to a remote server,
afaik none of the gdm/kdm or similar support typing in a username and
password then doing the ssh-authentication.
Another possibility is kerberos, which does allow a secure graphical
login. This provides the added bonus of other services can use the same
authentication, like imapd servers for instance. Although kerberos does
have a problem with NFS, and is usually paired with AFS for that reason.
> SO, if you want to do it securely, either with SSH
> or with IPSec, you need someplace on the workstation
> to store those keys.
Ideally yes, but reading a remote 1024bit or similar key and decrypting
it with a good passphrase is fairly secure (as long as the keystrokes
your typing for the passphrase are processed locally), certainly likely
to be secure enough so that the easiest attack is elsewhere.
> maybe a floppy or a hard disk.
> I don't like either of those ideas, because i'm trying
> to remove the moving parts, not require them.
> So, you could do it with flash, but that's an added
> expense.
>
> I like the little USB Disk-on-key thingies. That could
> hold the keys.
Actually USB disk on a key thingies aren't that secure, better
than nothing, unfortunately they are easily copied. There are more
secure ways to store a key. The most physically secure is the ibutton:
http://www.ibutton.com/ibuttons/java.html
Openssh seems to have prelim support for similar: (from the openssh readme)
>How to use smartcards with OpenSSH?
>
>OpenSSH contains experimental support for authentication using
>Cyberflex smartcards and TODOS card readers.
>
>WARNING: Smartcard support is still in development. Keyfile formats, etc
>are still subject to change.
--
Bill Broadley
Mathematics/Institute of Theoretical Dynamics
UC Davis
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.openprojects.net
