PHWinfo - Afficher un message

04/09/2007, 21h40

chris <olsen.chris@gmail.com> wrote:
>> No. If you intend to log in as a particular user, then presumably you
>> already have a home directory? Are you using the machine in a different
>> way?
>
> I didn't realize it worked that way. So for a developer on
> SourceForge I take it that they then have an *nix account created for
> them. I figured all developers would just have their public key added
> to the authorized_keys file.

You can do that, but then they would all be allowed to authenticate as
the same user. Usually you want to force them to authenticate as
different users.

The sshd forks a copy for the login user and tries to find a key that
will authenticate. Unless you give it some way to find different data
for different users, they'll all behave the same. You can override
where it looks for the authorized_keys file in the sshd_config file.

AuthorizedKeysFile
Specifies the file that contains the public keys that can be used
for user authentication. AuthorizedKeysFile may contain tokens
of the form %T which are substituted during connection setup.
The following tokens are defined: %% is replaced by a literal
'%', %h is replaced by the home directory of the user being au-
thenticated, and %u is replaced by the username of that user.
After expansion, AuthorizedKeysFile is taken to be an absolute
path or one relative to the user's home directory. The default
is ``.ssh/authorized_keys''.

I don't know what would happen if you give it a single global file. I
imagine that means that any user with a valid key will be permitted to
log in as any valid user on the system...

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

04/09/2007, 21h40	#10
Darren Dunham Messages: n/a Hébergeur:	Re: where to upload public ssh key chris <olsen.chris@gmail.com> wrote: >> No. If you intend to log in as a particular user, then presumably you >> already have a home directory? Are you using the machine in a different >> way? > > I didn't realize it worked that way. So for a developer on > SourceForge I take it that they then have an *nix account created for > them. I figured all developers would just have their public key added > to the authorized_keys file. You can do that, but then they would all be allowed to authenticate as the same user. Usually you want to force them to authenticate as different users. The sshd forks a copy for the login user and tries to find a key that will authenticate. Unless you give it some way to find different data for different users, they'll all behave the same. You can override where it looks for the authorized_keys file in the sshd_config file. AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection setup. The following tokens are defined: %% is replaced by a literal '%', %h is replaced by the home directory of the user being au- thenticated, and %u is replaced by the username of that user. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. The default is ``.ssh/authorized_keys''. I don't know what would happen if you give it a single global file. I imagine that means that any user with a valid key will be permitted to log in as any valid user on the system... -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >