McKown, John wrote:
This is more generic to Linux than specific to z/Linux, but perhaps you
will indulge me. I am curious as to the "best practice" to allow a user
to connect to a Linux server.
1) Telnet and use a normal userid/password - nope, ain't gonna happen.
2) SSH and use a normal userid/password - well, maybe. At least it is
encrypted.
3) SSH and a userid plus ssh-keygen "certificate" (what is that called?)
4) Xvnc???
Not really; the authors of realvnc say the password encryption's
trivially broken.
vnc over ssh is fine.
3) How do you give the key to the other person? USB thumb drive? Email
<shudder>? I guess that emailing a public key would not be bad. True?
My public key gives me access to your system. Anyone want it? Do tell me
the details of how to use my new account:-)
More generally, email can be secure; you encrypt it and you sign it.
Send it to the wrong person, all she gets is a mess of digits. Someone
try to forge my mail, they need my private key.
4) Should the administrator keep copies of everybody's ssh-keygen file
in a secure location (USB thumb drive?) Or should ssh-keygen be rerun in
the case of a problem?
I would have a procedure in place, but I don't think it would include
backups. Regenerating, yes.
6) In any of the above, should logging on with a password be disabled by
removing the password from /etc/passwd or /etc/shadow (I forget how to
do that, off hand - I can look it up.)?
7) I think the above removes the ability to do an "su" to the userid by
any other user than root. True?
I use sudo, configured to use a person's own password. Then,
sudo passwd -l root
and root's password us unusable.
Note that sudo with one's own password grants access to any account.
OTOH, keeping root out of other's accounts needs some work too.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Please do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
