Hosting Provided By

Re: ssh with diskless machines

From: Crist J. Clark <crist.clark(at)attbi.com>
Date: Wed Mar 19 2003 - 13:36:21 EST

On Wed, Mar 19, 2003 at 10:35:33AM +0100, Peter wrote:
> Hi there,

That's why it is harder to do. You can't do any authentication until the user logs in.

> How about creating a dedicated user and using `su' to retrieve the

*smile*
You don't seem to get it. If the remote machine can't store a secret (or get it from some non-networked resource, like the human user example), the game is over.

Think about your black hat's attack in this case. We have changed the problem from stealing the host keys via NFS to stealing the keyper user's private key via NFS. The black hat steals the keyper private key, grabs the host keys, and we're back where we started.

There is not a way around it. You can not do digital network authentication without a secret.

-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     
cjc(at)freebsd.org

Received on Wed Mar 19 18:23:21 2003

This message: [ Message body ]
Next message: Jesse Burkhardt: "Re: cron'ing rsync over ssh"
Previous message: Carlos Carvalho: "problem with ssh-signer in ssh 3.2.3"
In reply to Peter: "Re: ssh with diskless machines"
Next in thread: Greg Wooledge: "Re: ssh with diskless machines"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:55 EDT

Do you need help?