At 09:14 PM 1/14/99 -0800, you wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Shiloh
>Costa) wrote:
>
>// Currently one of our hosts is setup for RSA authentication for ssh by only
>// one user.
>//
>// On the same Linux box, we have other users with FTP access.
>//
>// What is to stop the FTP user from creating their own .ssh sub-directory in
>// their home directory, and adding their own public key thereby giving
>// themselves SSH capability.
>//
>// What kinds of methods could someone use to only allow 2 or 3 users to have
>// SSH capability, and deny anyone else from creating their own .ssh subdir
>// via FTP?
>//
>// The only way I can think of is to pre-create an .ssh directory, and chown
>// it to root with no write permissions.
>//
>// Shiloh Costa
>// MDI Internet Inc.
>
>the easiest way would be to use the etc-skel system along with adduser to
>place a blank root owned file called .ssh in their dir.
Apparently a user can rename a root-owned file or subdir, if the user is
the owner of the directory where the file or subdir resides..
Therefore, using FTP, they could simply rename .ssh to .ssh-who-cares, and
still proceed with creating their own .ssh directory.
>i have no clue though why you would want to disable RSA authentication.
If a sniffer finds someone's FTP username/password, not only could they
break into the users directory via FTP, they now have created themselves an
ssh'able shell account too..
SSH'able shells can do more damage than an ftp login.
Shiloh Costa
[EMAIL PROTECTED]
