On Apr 2, 2007, at 8:45 AM, McKown, John wrote:
2) Or should the user do the ssh-keygen on his workstation, then give the public key to the administrator to put in the user's ~/.ssh/authorized_keys file?
Yes.
3) How do you give the key to the other person? USB thumb drive? Email <shudder>? I guess that emailing a public key would not be bad. True?
That's the whole point of public-key cryptography. The public key is *public*.
4) Should the administrator keep copies of everybody's ssh-keygen file in a secure location (USB thumb drive?) Or should ssh-keygen be rerun in the case of a problem?
You remove the public key from authorized_keys, and generate a new pair.
5) Is there any way for the administrator to guarantee that the user uses a passphrase on his ssh-keygen key file? <I can't find it>
Unknown, but I doubt it. The end user can always re-key access to his private key file, and (I think) change it to no password if he wants; this does not change the actual key, so the remote end doesn't know.
6) In any of the above, should logging on with a password be disabled by removing the password from /etc/passwd or /etc/shadow (I forget how to do that, off hand - I can look it up.)?
Depends on what your local security policy is. Also depends on how you have PAM set up. I think it's generally a good idea to disable password-interactive logins, but it really depends on what you need to be able to do.
7) I think the above removes the ability to do an "su" to the userid by any other user than root. True?
Removing the password certainly would. Adam ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390