On Sun, 2009-10-04 at 10:55 +0200, Per Jessen wrote:
Hans Witvliet wrote:
Just block passwords all together, it doesn't claim any resources at your side (In contrast of scrutinysing that number of addresses), and don't have to analyse your logfiles for ssh-attacks, as there wont be any anymore.
Hans, I'm curious - I've always liked this solution, but how do you manage all the keys? AFAICT, each server needs to know about (have the key for) each possible client, right?
Yes, Uptill next release of openssh, there are two mechanisms 1) On the destination-machine you need in the file ~/.ssh/authorized_keys all the public keys for that particular user If that users has different key-pairs on different machines, you'll see here multiple public keys. 2) keypairs can also be tied to a specific noninteractive (remote-)application, Like rsync. Generating the keys can be done also in two ways, either on the computer itself, or on a security device. If they are created localy, one can still afterwards store them on a smardcard, and protect the private key with a pin-code. Next version of openssh (openssh-5.2) has an huge step forward (i hope it is 11.2, with this option activated during compilation). openssh is then also capable to extract the public key from an PKI-certificate. If you have PKI-certificates from thawte, verisign, cacert, gouvernement (and so on), you will be able to use these. This was already available in the commercial version of ssh, from now-on also in openssh. Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org