* Dave Sherohman <[EMAIL PROTECTED]> [2001.11.29 09:47:17-0600]: > ...all of which is not a detriment to a key which is being used to > establish _anonymous_ access. If it was intended for authenticated > access by a trusted user or users, then you're absolutely correct. > Dmitri, however, is suggesting that a specific key pair be designated > for anonymous access, which suggests that distribution of the private > key to any and all interested third parties with a minimum of > accountability is not only acceptable, but probably also desirable.
okay, so potentially *everyone* has access to the data, the you may just as well run pserver as nobody, since you only give out read-only access... why the hazzle of ssh in the first place. i realize that this is closing a circle in this discussion, so i apparently didn't get the point initially. after all, this thread is entitled ".*security.*", so i was switching into secure mode... also, i was thinking (since passwords were mentioned), that there is a specific group of users that need access, not everyone... > Not true. The concept behind encryption (PK or otherwise) is to > establish a secure method of communication. Dmitri is simply > pointing out that ssh normally uses a one-to-many (one person can > access accounts on many machines) model but, by distributing the > private key and securing the public key, you can reverse that to > allow essentially anonymous many-to-one access instead. you can surely do it, but i was addressing dmitri's critique that i supposedly misinterpret the word "private". encryption is secure communication, there is nothing to say against that, but pk addresses the problem of a shared secret. publishing the private key surely does what you want, but it's also turning pk encryption into a useless endeavour. with such a setup you gain nothing, not even integrity or privacy of the trasmitted data (aside from everyone being able to pull it)... if i have the private key, i can hijack, sniff, and interfere with encrypted sessions at my pleasure. > > so then give me a way to figure out which identity logged in to ssh if > > they all log in as one user? > > You don't need to. That's sort of the point of anonymous access. did you read the last 2-3 posts pertaining to exactly this issue? my point is that you are about as anonymous with many-to-one as one-to-many because of IP-addresses and the general difficulty of (a) accessing the info *which* identity connected, and (b) mapping that identity to a user. sure, with many-to-one you have the possibility, but you'd have to jump through hoops to make it non-anonymous... -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; [EMAIL PROTECTED] "it usually takes more than three weeks to prepare a good impromptu speech. -- mark twain
pgpZqN7ZTCoO4.pgp
Description: PGP signature
