On Wed, Jan 24, 2007 at 01:38:51AM -0600, Travis H. wrote: > > At this time it appears that I would > > either have to open up sshd to passwords (I'm not enamored with this idea) > > and/or teach the remote users to set up and use key pairs (or do it for > > them).
Another thought:
How about you create an email alias on the system, only accessible from
trusted hosts, where people send an email, and it autogenerates a SSH key,
places the public part in their authorized_keys file and emails the two
files (private and public) and a known_hosts file to the user with the
server's fingerprint, and maybe an installation script? A zip file
with some kind of autorun or something could do it all, maybe even
download and install the approved client. Of course, Unix users already
know how to do all this stuff; I'm assuming those who don't run MS-Win.
It doesn't protect against internal threats, but it leaves logs and
since the end users are employees, you have some leverage over them if
they misbehave. Detection/audit is pretty useless on the Internet,
because it's so hard to identify people, and when you do, they have no
relation to you, and may not be in the same jurisdiction. But IMHO
it's sufficient in a corporate environment; they have the means to
discipline or prosecute those lusers that don't play nice.
Another thing you could do is issue GPG keys and CA cert chains
for your stuff while you're at it; kill several birds with one
stone, or at least do some of the hard stuff ("secure"
bootstrapping).
--
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
pgpAHRzQ7dkj7.pgp
Description: PGP signature
