SSH question

  I hope someone can help with this finding. We are investigating centralized control of the authorized_keys file in a root owned directory with world readable permission so we can control key usage. we have added user1@hosta's key into this file.

Here is the situation:

user1@hosta has a key on hostb in the authorized_keys file.

from hosta, user1 can ssh user2@hostb and login using user1's key (doesn't matter if a passphrase is set or not, if an agent is running or not)

It seems that so long as user1 has a key on any machine, and it exists in the authorized_keys file, user1 can ssh to those remote hosts as anyone else.

It seems that the commercial version has solve this by not adding the key itself in the authorized_keys file, rather a directive "Key user1key.pub" and then controlling the read on the key file to only user1.

AMS :-)

-- 

Armin M. Safarians	Safeway Inc. 
VOICE: 925.944.4246 
EMAIL:armin.safarians@Safeway.com

****************************************************************

Success is the result of preparation, hard work, and learning
from mistakes.

****************************************************************





"MMS " made the following annotations.
------------------------------------------------------------------------------
Warning: 
All e-mail sent to this address will be received by the Safeway corporate
e-mail system, and is subject to archival and review by someone other than the
recipient.  This e-mail may contain information proprietary to Safeway and is
intended only for the use of the intended recipient(s).  If the reader of this
message is not the intended recipient(s), you are notified that you have
received this message in error and that any review, dissemination,
distribution or copying of this message is strictly prohibited.  If you have
received this message in error, please notify the sender immediately. 
  
==============================================================================