[scponly] RSA Keys and scponly
J.D. Baldwin
baldwin at panix.com
Wed Nov 9 14:41:20 EST 2005
Frank Mohr wrote:
> the authorized_keys file must be readable by root during the
> authentication process and some network protocols prevent this
Pitfall #1: at least on Solaris 8 / 9 hosts, the authorized_keys
file must be readable by the user being authenticated.
I know this doesn't really make sense, but that's what
I discovered during my own testing. (This was using
a very recent OpenSSH version; I suspect it would be
true on other platforms as well.)
There is no requirement that the authorized_keys file
be within the chroot environment itself, so the user
may or may not be able to access it once connected,
but the user account must have read privileges to the
file.
Ralf Durkee wrote:
> The authorized keys file can be moved out of the home directory to a
> system directory such as the real root /etc/ssh/ using the
> "AuthorizedKeysFile" directive in your sshd_config file. See
> sshd_config(5) man page for details. This is recommended if your
> don't want you users installing their own keys. The ownership of the
> authorized key should be root, but the group should be a user
> specific group, with just read access for the user.
Pitfall #2: Solaris ssh does not support AuthorizedKeysFile, you have
to build and install OpenSSH if you want to use this
very useful trick.
--
_+_ From the catapult of |If anyone disagrees with any statement I make, I
_|70|___:)=}- J.D. Baldwin |am quite prepared not only to retract it, but also
\ / baldwin at panix.com|to deny under oath that I ever made it. -T. Lehrer
***~~~~-----------------------------------------------------------------------
More information about the scponly
mailing list