begin quoting Dexter Filmore as of Thu, Mar 16, 2006 at 03:06:19PM +0100: > > > To have an official standard. > > > > I guess I don't see why an official standard is needed for a one-liner. > > For partly automation. > > > Plus, I would think that each administrator would have their own > > set of standards that they should enforce; an "official standard" would > > lead to automatic reactions instead of thinking for three seconds. > > Well, depending on what type of architecture you have to manage, those 3 sec > can accumulate rather quickly. I don't say "take human brains out of > decision", but it should have a form that is managable by software frontends.
There are three parts to this process -- (1) the user requesting that a copy of their public key be sent to an administrator to create an account for that user; that's trivial from the command line and in no need of automation, but that's what you're looking at if you want to add some behavior to ssh to mail an administrator. (2) the administrator determining if they want to grant access to a user who's provided them with a public key -- this is constrained by the site and machine policy, and so is not suitable for automation within the tool. (3) the administrator drops the provided public key into ~user/.ssh/authorized_keys, which is a trivial operation, easily automated by the install and setup scripts for the account, and should also not be integrated into ssh any more than it has been by _providing_ a file 'authorized_keys'. I see the desire to automate a process, but I just don't see where it would be beneficial to add anything more to ssh; it's about as simple as can be already. > > I mean, how is ssh going to authenticate you to the remote administrator? > > Rather meant that ssh(d) should look in a defined place for the public key and > then inform the admin that a new one's waiting for auth. I wouldn't wanna > have it 100% automated either. That's /var/spool/mail/root, surely. I could envision a process where when the administrator logs in via ssh, they're presented with a list of pending public keys and account-names, and they can say "y" or "n" to each of 'em... but that just makes _more_ work for the administrator. > > (This is where PKI comes in, I suppose... you and the administrator should > > share a common certificate authority, so he can look up/verify your cert. > > Do we want to start putting ssh public keys into a PKI framework?) > > Sounds tempting doesn't it... Not really... But that's just me. I don't run large homogeneous networks. :) I think this is where the LDAP-using folks should get involved. They're doing distributed authentication already, and that's basically what we're looking at. > > So you'd walk up to the administrator and say "I'd like an account on > > machine $FOO", hand 'em your company badge and a USB stick? (And, one > > hopes, the fingerprint to you key on a sheet of paper.) > > Pardon? I mean, my public key can travel as much as it wants, can it not? > After all, it's a *public* key. Yup. But who's public key just got mailed to you? It _looks_ like it's me, but it could really be Tracy. > > It won't help you log in from an arbitrary machine, which is what I > > thought you were trying to do. If you're just trying to distribute > > your public key so you can access various machines from your primary > > box, that's different. > > That's pretty much what I want. Example: got three machines here. (Yet :) ) > So I'd like all three of them to hold my public key and when I connect my usb > stick to *one* machine I'd like to able to ssh into the others, too, without > providing a password. That means you're carting around your private key on that USB stick. (If you stick that stick into an untrusted machine, you've compromised three machines. Not a good idea.) You can do that now. If you're going to cart around just the public keys, then you could stick your stick into a machine, copy some data around, and now any of the _other_ machines can log _in_ to this one. > > Smart Cards aren't around because they aren't widely used; but they're > > being used in more and more systems. > > I'll have a look at that when smart card readers are as common as usb ports. You can buy a keyboard with a smartcard reader built in to it. > > Technology that doesn't _actually_ solve your problem isn't worth much. > > Technology that nobody has either. Funny, I see a _lot_ of smartcards these days. The technology is there. You're just not shopping for it. [snip] > > In a corporate environment especially, one-key-fits-all-locks is a lousy > > design, despite being highly desired. > > Well, one key fits all works in my case since I granted myself access to all > my stuff :) - different thing in a company of course, but at the CeBit > Toshiba hat those neat 4GB SD cards - can hold a lot of keys, I'd say... Overkill, unless you want to go to using a One Time Pad. :) -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
