Uh, a couple of things - first of all, sending the keys to the clients is a really bad move. What you _really_ want is for the client to generate their SSH keys and then send the public keys to you. This avoids all sorts of private key compromise opportunities. After that I guess you want to read the manpages about how to require public key auth. From a _really_ brief glance, it looks like you want to mess with the RequiredAuthentications keyword in the config file. Oh, If publickey is enough for you, you could change the AllowedAuthentications from "password,publickey" to just "publickey". Personally, I would ask for publickey and password - to do that just add both methods to the RequiredAuthentications. This makes access two factor at worst. If you only use the RSA auth then a busted client implementation or improperly stored keypair means that compromised / stolen hosts are a free ticket. (OK, that's a lie - a compromised host can be assumed to be running a password grabber, but I'm thinking more about stolen laptops.) Cheers, -- Ben Nagy Network Consultant, Volante Solutions PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: Roy Harrison [mailto:[EMAIL PROTECTED]] > Sent: Saturday, 26 August 2000 1:13 AM > To: [EMAIL PROTECTED] > Subject: SSH > > > I'm trying to set SSH up so that a client cannot log onto a > server unless > the client has been given a key from the server. Either I put it on a > floppy or e-mail it to the client. > > I installed SSH2 server on a linux machine and a client on NT > and linux and > was able to log right on using just the servers password. I > was expecting > more authentication from SSH itself. > > Any help would be welcome. > > Thanks > > > > Roy Harrison > > Research Libraries Group > Servers and Networking Group > Mountain View, CA > 650.691.2326 > [EMAIL PROTECTED] > > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] > - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
