Hi,
I have a policy question that's been generating fierce debate at our
company (a web design shop with relatively light security requirements)
Is the ability for users to set up "auto-login" (dispensing with
passwords) bad? Let's say a user has set added their home machine's public
key to the server's ~/.ssh/authorized_keys. Let's further assume that they
did not type a passphrase when creating their private key.
>From the sysadmin's point of view:
Auto-login means that if any user's machine is compromised, the attacker
has an account on the server too! The ssh auto-login feature allows
users to create "webs of trust" completely outside the control of the
sysadmin. It removes the password barrier between systems, and allows
breakins to quickly propagate between systems. As such it is harmful and
wrong, and should be switched off by default.
A counterargument:
In a properly configured system, it shouldn't *matter* if a user has
malicious intentions, because they shouldn't be able to do harm anyway.
Regular users make mistakes. They write their passwords on sticky labels
on their monitor. Consequently one can *never* trust users not to harm the
system. Now, ssh auto-login is just another potential way for a user to
turn malicious, but to a properly configured system, a user's intentions
are irrelevant. Furthermore, disabling ssh auto-login gives a false sense
of security. At a *policy* level there is nothing wrong with auto-login.
I'd greatly value people's opinions on this. I'm sure there's some middle
ground, but as a policy issue, a decision one way or the other needs to be
made.
Thanks,
--Jeff
