[EMAIL PROTECTED] on 05/30/2000 11:57:22 AM >The "ssh" client program checks the permissions on the "identity" file >*that it's using* to make sure it's secret and noone else can read it. >But it doesn't go looking for all files in the system to see if any other >files contain SSH keys, and it doesn't check all outgoing data to see >if any of it is SSH keys - not even data going over SSH connections. Of course not -- it'd be really stupid if it did. >That's the **IX "ssh" client, of course. As for the rest, a little >story: I'm giving a session at a conference in July about protecting >you machines against "hackers". The conference organisers want the >presentations prepared by "powerpoint". I don't run Windoze on any >of my machines *because* I want to protect them against "hackers"... I completely understand your point. Our security concerns aren't as restrictive as yours, though. >Can't be done with SSH. The key is the key and *nothing* can stop someone >giving it away. So to so what you want, the *best* I can think of is to >use something where giving away the access would make life difficult for >the punter: use a hardware token (SecureID, for example) or a one-time >password. IP numbers are *not*, in the final analysis, reliable; although >they too can make cheating more difficult. I understand that IP-checking isn't completely reliable, but all we are aiming for is to make it difficult enough for "normal" employees to give away their keys. So, as a request, would it be possible to add the same kind of checking for the user as already exists for the client host? For example, make it possible to have the following: from=user@hostname or something similar in $HOME/.ssh2/authorization? Has anyone else attempted such a patch? Are there technical reasons why such a patch would be impossible? For example, is it just plain impossible for the server to know the client's user name? (I don't see why it would be since the server must be able to check .rhosts and .shosts). Thanks, Noel This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of J.P. Morgan & Co. Incorporated, its subsidiaries and affiliates.
