Hello,
> Did anyone ever discuss this in more detail, or reply to it?
Which part? "My understanding" or "non-portable"? Well, there is nothing
to discuss about "my understanding" part, it's all true. As for
"non-portable" part, then look at mine
http://fy.chalmers.se/~appro/ssh_beyond.html. It's a way. Yes, it's
1.2.x-based (the page originates in 1996) and "certificate" is somewhat
primitive (at the very least expiration date might be desired), but the
idea is there...
> My understanding is that RSAAuthentication is most secure,
Backed up by the ssh-agent RSAuthentication is rather "most convenient"
in my opinion:-)
> When using RSAAuthentication, the only thing that is consulted for auth is the
> authorized_keys on the server, and the identity key on the client, thus
> installing one's own .ssh directory would give them access to the box.
It will always be as secure as weakest component. If home (or any other
source of user public keys) directory is the weakest link, then
RSAAuthentication won't buy you anything.
Andy.
