This is more generic to Linux than specific to z/Linux, but perhaps you will indulge me. I am curious as to the "best practice" to allow a user to connect to a Linux server.
1) Telnet and use a normal userid/password - nope, ain't gonna happen. 2) SSH and use a normal userid/password - well, maybe. At least it is encrypted. 3) SSH and a userid plus ssh-keygen "certificate" (what is that called?) 4) Xvnc??? Personally, I like option 3. But, when I think of security, I am a bit paranoid. The question then becomes: After the userid is set up, who does the ssh-keygen? 1) Should the system administrator logon to himself, then "su" to the new user, do the ssh-keygen then distribute the private key to the user? 2) Or should the user do the ssh-keygen on his workstation, then give the public key to the administrator to put in the user's ~/.ssh/authorized_keys file? 3) How do you give the key to the other person? USB thumb drive? Email <shudder>? I guess that emailing a public key would not be bad. True? 4) Should the administrator keep copies of everybody's ssh-keygen file in a secure location (USB thumb drive?) Or should ssh-keygen be rerun in the case of a problem? 5) Is there any way for the administrator to guarantee that the user uses a passphrase on his ssh-keygen key file? <I can't find it> 6) In any of the above, should logging on with a password be disabled by removing the password from /etc/passwd or /etc/shadow (I forget how to do that, off hand - I can look it up.)? 7) I think the above removes the ability to do an "su" to the userid by any other user than root. True? Thanks for any thoughts. If too off-topic, please just ignore this or email me directly to "go away, boy. You're bothering me." (W.C. Fields?) -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
