SSH publickey auth
Vinicius
cviniciusm at terra.com.br
Tue Jul 12 00:29:11 UTC 2005
Alexander Dalloz escreveu:
> Am Mo, den 11.07.2005 schrieb Michael Yep um 22:12:
>
>
>>Client machine WinXP
>> Directory of c:\Documents and Settings\myep\.ssh
>>
>>07/08/2005 01:56 PM <DIR> .
>>07/08/2005 01:56 PM <DIR> ..
>>07/08/2005 01:43 PM 951 id_rsa
>>07/08/2005 01:43 PM 238 id_rsa.pub
>>07/08/2005 01:53 PM 477 known_hosts
>>
>>Server machine FC4
>>[root at localhost .ssh]# ll
>>total 24
>>-rw------- 1 rlback rlback 238 Jul 8 13:48 authorized_keys
>>-rw------- 1 rlback rlback 951 Jul 8 13:43 id_rsa
>>-rw------- 1 rlback rlback 238 Jul 8 13:43 id_rsa.pub
>>
>>Can someone tell me if this is correct?
>
>
> Do you intend to connect from client to server and vice versa? If you do
> only ssh connect from the client to the server, then on the server you
> only have to deposit the public key part (id_rsa.pub) as filename
> authorized_keys. It is then safer to remove the private key part
> (id_rsa).
>
>
>>Can we even have a good measure of security with keys residing on a
>>windows machine?
>
>
> That is hard to say in general. Keep care that no co-worker has access
> to your private file area on the client (NTFS is a must!). Don't work as
> administrator if you don't have to for some maintenance tasks. Those are
> the usual guidelines.
>
> And an additional word about the keys: back them up somewhere at a safe
> place. I.e. use a memory stick with an encryption on it. Maybe even
> don't store the keys on the client but just have them on a media you
> carry with you (backup with other important data on a CD). PuTTY can run
> from an USB stick and needs no installation process on Windows®.
>
>
>>Michael Yep
>
>
> Alexander
>
>
>
But we can use a distro live CD, for example, the Knoppix Live CD, that
has NTFS support, and then boot the computer with it. So we can see the
entire content of the HD.
I agree with the Alexander suggestion to put the key on a memory stick.
Or on a CD.
I think even a Linux Server can be seen with a Live CD.
So the physical access to important computer must restrictive.
Regards,
Vinicius.
More information about the fedora-list
mailing list