Re: [bam: Re: ssh vs kerberos]

To: bam@snoopy.apana.org.au
Cc: debian-devel@lists.debian.org, Matt Zimmerman <mdz@csh.rit.edu>
Subject: Re: [bam: Re: ssh vs kerberos]
From: Philip Hands <phil@hands.com>
Date: 30 Jun 1999 11:51:40 +0100
Message-id: <[🔎] 87wvwm7ygz.fsf@sheikh.hands.com>
In-reply-to: Brian May's message of "Wed, 30 Jun 1999 14:31:09 +1000"
References: <[🔎] 19990630143109.A1727@snoopy.apana.org.au>

Brian May <bam@snoopy.apana.org.au> writes:

> >If you want to do RSA-based authentication, you can do that, and try to
> >protect your private keys, but it's not necessary.  If you choose to do
> >this, you can also limit the privilege of a given private key (for example,
> >by only allowing it to execute a particular command).
> 
> True. I tend to think though that time limited tickets are more useful
> then command limited keys - who uses command limited keys? I would be
> interested in knowing useful applications, in areas where it increases
> security...

The push mirrors use them.

A push mirror admin can install the ``ftpsync'' script, without
trusting master, or any of it's users more than being willing to start
that script when asked to.

The worst that could be done is a DOS attempt by starting it fifty
times a second, and there are easier ways of doing DOSs, that don't
require you to break into master first.

Cheers, Phil.

Reply to:

References:
- [bam: Re: ssh vs kerberos]
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Re: Bug#40400: can't send email using mutt
Next by Date: Re: Is the `swirl' available in .xcf form?
Previous by thread: [bam: Re: ssh vs kerberos]
Next by thread: Bug#40474: general: Emacs packages should use --no-site-file --no-init-file for compilation
Index(es):
- Date
- Thread