host keys authentication

Johan Booysen johan at matrix-data.co.uk
Tue Mar 25 15:39:42 UTC 2008 

I did some more testing and managed to get it to work.  Seems to have
just been a permissions issue on the .ssh folder.

The ftp server uses rssh so users get chrooted into their home
directories and using sftp/ssh for data transfer.

One thing I'm not sure of, is the issue of generating keys with empty
passphrases.  According to my tests, the client has to generate a
keypair using empty passphrases, otherwise they get prompted for a
passphrase at login.

What I want to achieve is for only one client to be able to sftp via a
script of some sort, and such that they "automatically" authenticate (no
password/passphrase prompt).

My current solution is for the client to generate the keypair, provide
me with the generated public key, which I then add to the client's .ssh
folder in their home directory as a file called authorized_keys.

Am I on the right track, or am I still maybe missing something?

Would appreciate any advice, as obviously the security aspect is of
great importance.

Thanks.


-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Steve Phillips
Sent: 22 March 2008 15:08
To: Scott Ruckh; General Red Hat Linux discussion list
Subject: Re: host keys authentication

Scott Ruckh wrote:
[snipped bits]
> Are you saying the client is going to be using SFTP and/or SCP and you

> would like to use Public Key Authentication (PKA) with no password?
Or 
> are you trying to use FTP/s or something entirely different?  What are

> the clients, and what are the client platforms that will need to be 
> supported?
> 
> If you are trying to implement SFTP/SCP with PKA you might take a look

> at http://www.pizzashack.org/rssh/ or 
> http://olivier.sessink.nl/jailkit/.  I successfully implemented both
for 
> setting up accounts for SFTP/SCP only access along with PKA for 
> password-less logins.
> 

Also, the latest version of sshd (which may not be the RHEL 5 version) 
also apparently supports chroot jails for sftp, which it didn't in the 
past, you may want to look into upgrading sshd completely.

afaik, the only versions of shhd that supported chroot jails for users 
were the commercial ones before this.

one thing to be aware of when using public key authing is that the 
permissions are very strict, check that the only person with access to 
the .ssh directory is the user themselves. (also, don't permit empty 
passwords, very bad idea)

HTH,

-- 

Steve.

-- 

redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list