Re: Re: please remove permission check that disallows private-group access.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 10/22/2018 11:55 PM, Blumenthal, Uri - 0553 - MITLL wrote:
> Not so fast. If a home directory is on an NFS or AFS filesystem, where would
> that "determined sysadmin" copy the keys to?

If there's not only a shared $HOME between two userids but also remote
mounts, you have THREE security contexts to keep track of:
localuser@centralhost, networkuser@centralhost and
networkuser@whereverelsetheHOMEismountedto. Since all *other* machines
would need to be expected to use the standard $HOME/.ssh to find stuff
in, I would give serious thoughts to compiling OpenSSH on centralhost to
default to $HOME/.ssh-%u or somesuch instead. It takes but *one* user
who'ld like to keep his configs *separate* to make the point of such a
setup.

> Not to mention the question of what business that "determined sysadmin" has
> touching my keys?

Oh, I *would* prefer not to. And then I look at how many of our users
actually stick to established security procedures ("I've put your
[security relevant data including personal keypair] *there*, please
*delete* it off that server once you've downloaded it") and ...

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de
www.facebook.de/binect

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux