begin quoting Dexter Filmore as of Wed, Mar 15, 2006 at 06:46:46PM +0100: > Am Samstag, 11. M?rz 2006 00:00 schrieb Tracy R Reed: [snip] > > You would only need to put your public key on the remote machine. > > Normally you email it to the admin and he installs it for you in lieu of > > setting you a password and telling you the password. > > Even better was if ssh sent the public key to that machine and emailed the > admin with a request to allow the key to login. > One would have to code that into ssh of course or similar.
Why? % ( echo Add me please as $USER ; cat ~/.ssh/id_dsa.pub ) | mail [EMAIL PROTECTED] > I like key login. I don't type passwords into my car, front door or whatever > either, and if one is able to look after his car keys not to get stolen he > should be able to do the same with a usb stick. A password is typically considered analogous to a key. A usb stick is basically just a very long password that you have to keep written down somewhere. Stick your USB stick into an untrusted computer, and your key is compromised, just like a fixed password would be. Go one step further ... use a smart-card; to communicate with the remote system, the local system streams data to the smart card, and the smart card encrypts/decrypts it. Include a challenge-response mechanism in there as well, and you have something worthwhile. An untrusted computer can't do anything to you after the fact, but only while you're using it. (Best is a laptop -- you keep your keys, input system, and display system all under *your* control. Trusted endpoints, untrusted network.) > What I would want is a key that not only grants me access to the local machine > but to any machine on the network I'm supposed to have access to. That would be equivalent to having one key to your car, your front door, your side door, your safe, your suitcases, etc. Not really a great idea. "Least Privilege" is often the principle indicated at this point. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
