On Mon, Jan 22, 2007 at 11:04:56AM -0500, Chris Smith wrote: > Also, as it is currently, sshd only allows access by via public > key - "PasswordAuthentication no",
Wise. Why play the game of "try to detect bad passwords chosen by users" instead of just avoiding it altogether? You know someone will eventually spell their name backwards, or pick the name of their university, or something like that which is not in your dictionary. > At this time it appears that I would > either have to open up sshd to passwords (I'm not enamored with this idea) > and/or teach the remote users to set up and use key pairs (or do it for > them). Yeah. You can mitigate the script-kiddie dictionary attacks by running ssh on a different port, which could be done with a totally seperate sshd, and maybe there's a way to point them at seperate passwd files or sources of authentication information; the non-standard one could only serve entries with authpf as a shell, for example. > Is this a correct assumption or does authpf offer any kind of workaround? I can't think of what would be both easier/simpler than setting up ssh keys and more secure than passwords. You could use portknocking, or something, but it seems to me that it'd be even more complicated for end-users. But since they don't have logins on the box anyway, you could just assign a long, strong, randomly-chosen password to them and not allow them to change it. My advice is that they write it on a piece of paper, without any other information that would give it context, and put it in their wallet. Long-term, you may want to consider LDAP for SSO and give everyone one password (that you assign) for everything. It's surprising how quickly you can memorize 9-character random passwords when you have to type them all the time. If you can think of another alternative, you might be able to script something together using dfd_keeper (see my homepage). -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
pgpyiXoE5wadO.pgp
Description: PGP signature
