On Thursday, December 5, 2019 5:41:44 AM MST Nico Kadel-Garcia wrote: > If someone wants to spend that much of their resources on homedir > security, they need to decide whether they want SSH key based access. > That is manageable by configuring SSH to store SSH public keys in an > alternate location and inform the users of the modified sshd_config > and its modified, accessible "AuthorizedKeysFile" setting. Or the user > can spend the time and effort to activate Kerberos based logins, or > use password based logins. I'd avoid trying to rewrite SSH for such an > OS-specific and non-portable need as homedir decryption mounting.
Please don't recommend to anyone to use passwords for SSH. That is incredibly insecure, and if privileged users are using password-based SSH, that'll quickly lead to a serious compromise of your entire system, depending on the complexity of the password, of course, but still holds nothing to key-based authentication with the best password. > In common usage, very few people encrypt their home directories > separately from their basic disk image. It makes system management for > administrators or even a local root user very awkward. I could see it > for home directories in "/home", and it would only cost SSH key based > access, not ordinary password or Kerberos ticket based login. But it > sounds quite risky and destabilizing, much as the "kill dangling > processes when people log out". That caused a lot of shock when it > was activated by default and started killing processes with no > logging. Let's not repeat a surprise like that and avoid killing SSH > key access by default. A bit off topic, but where is "kill danging processes when people log out" set? I've not experienced that anywhere. -- John M. Harris, Jr. Splentity _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
