On 26-May-00 at 07:19:08 Markus Friedl wrote:
> On Thu, May 25, 2000 at 11:25:18AM +0100, John Horne wrote:
>> In this case ssh should be trying to access root on the local system with
>> the specified key. Root has the key configured into its authorized_keys2
>> file with the 'command=' option. As said, it all worked fine using
>> protocol
>> 1.
>
> in openssh, the 'command=' syntax is not yet supporten for protocol 2.
>
As I found out after much playing with the keys :-(
>> 1) The local systems where openssh is to be used (initially at least)
>> have no users as such but are used by local computing staff. Is there
>> anyway of enforcing that ssh is used for, for example, accessing the
>> systems as root.
>
> i don't understand what you want? why do you want to prevent the
> users from login via ssh and su to root?
>
Spot the newbie bit :-) Thinking about this more, no I don't want to prevent
that since the connection will initially be secure. So no problem with su.
>> At present this is done over the local network in the clear by logging in
>> as themselves and then su'ing to root - hence the password goes over
>> the net in the clear. If I just disabled telnet and su then I'd
>> probably get lynched :-)
>
> but if telnet is used ssh becomes useless.
>
Exactly, so how do I *force* (i.e. convince it is a 'good thing') our
users to use ssh without actually deleting the telnet command? Telnet is
still used for simple testing - e.g. "We can't send any mail"; the admin
simply initially uses 'telnet <host> 25' to see what happens. Hence telnet as
a command is still required, and if it is there then the users are probably
going to use 'telnet host' rather than 'ssh host'. They *may* get used to
using ssh, but as always there will be some who don't or take a long time in
converting.
Thanks,
John.
--------------------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: [EMAIL PROTECTED]
PGP key available from public key servers
