> Reading /mnt/factotum/ctl only gives you the keys you are allowed to use. > > factotum(4) says: > > The factotum owner can use any key stored by factotum. Any > key may have one or more owner attributes listing the users > who can use the key as though they were the owner. For > example, the TLS and SSH host keys on a server often have an > attribute owner=* to allow any user (and in particular, > `none') to run the TLS or SSH server-side protocol. > > Therefore the example in ssh(1) for generating a key should say: > > auth/rsagen -t 'service=sshserve owner=*' >/mnt/factotum/ctl
none doesn't have access to eve's factotum, so you have to run sshserve from a trusted listen anyway. double-checking with my own ssh server, i have (keys deleted) key proto=rsa service=sshserve size=1024 ek=B !dk= n= !p= !q= !kp= !kq= !c2= so i don't think that '*' is required. however i think that running from /rc/bin/service.auth is. - erik
