- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: ssh and using Authorized Keys File ??
Operating System - Linux
1756995
Members
2204
Online
108858
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-08-2010 09:32 AM
тАО10-08-2010 09:32 AM
ssh and using Authorized Keys File ??
We have several what we call Admin ID's that the applications group uses to administer there applications from...
They are allowed direct login to these ID's, and are forced to us sudo which issues the su for them to log into these accounts...
The ID's do have ssh-keys generated for these Admin ID's so that they can communicate between other servers with these same ID's set up on them...
We are required by our security group to have expiring passwords set on these ID's, even though there is no direct login to the ID's which brings up the issue we are having..
Should the ID's password expire, the scripts that communicate with this ID between servers that is using the ssh-keys set up in the authorizedkeys file, also stops working..
As soon as the password is set to some new password it starts working again...
Is there something that can be done, when the password expires, that will allow ID's with the ssh-keys defined to continue to function ??
They are allowed direct login to these ID's, and are forced to us sudo which issues the su for them to log into these accounts...
The ID's do have ssh-keys generated for these Admin ID's so that they can communicate between other servers with these same ID's set up on them...
We are required by our security group to have expiring passwords set on these ID's, even though there is no direct login to the ID's which brings up the issue we are having..
Should the ID's password expire, the scripts that communicate with this ID between servers that is using the ssh-keys set up in the authorizedkeys file, also stops working..
As soon as the password is set to some new password it starts working again...
Is there something that can be done, when the password expires, that will allow ID's with the ssh-keys defined to continue to function ??
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-08-2010 05:14 PM
тАО10-08-2010 05:14 PM
Re: ssh and using Authorized Keys File ??
So, if I understand your description, the
actual problem here is that you can't use
SSH to log in as a user whose password has
expired. (So, not really much to do with the
"authorized_keys" file, which isn't
changing.) If that's correct, ...
> They are allowed direct login to these
> ID's, [...]
> [...] even though there is no direct login
> to the ID's [...]
I'm confused.
> We are required by our security group [...]
Apparently, you need to pursue this problem
with them. I know nothing, but I suspect
that any scheme which allows a user with an
expired password to log in would be a _real_
security problem. (Which is different from
an intentional service disruption caused by
a lame policy decision made by "our security
group".)
If no one actually uses a password to log in
as one of these Admin users -- passwordless
SSH connections only -- then I would think
that "our security group" could set
complex/random passwords for them, passwords
which are known to no one. Then, who could
care if they ever expire? And if long-life
passwords are still considered a problem,
even if no one actually uses (or even knows)
them, then let "our security group" change
them whenever it wants to, so long as it
doesn't ever let them expire.
If "our security group" is not entirely
populated by morons, then it should be
possible to agree on a policy which satisfies
any rational security requirements while
allowing necessary work to get done. In some
cases of nonsensical policies, there may be
no technical solution. The real mystery here
is what "our security group" is expecting to
achieve by having these passwords expire.
Especially if no one is actually using them.
Alternatively, one might be able to extract
the password expiration date from the
authorization data base, and run a "cron"
job which automatically sends increasingly
nasty e-mail messages to "our security group"
as password expiration dates grow nigh.
Sometimes a non-technical ("social
engineering") solution can substitute for a
technical solution. (Or, ideally, educate
"our security group" regarding the benefits
of a more enlightened policy.)
actual problem here is that you can't use
SSH to log in as a user whose password has
expired. (So, not really much to do with the
"authorized_keys" file, which isn't
changing.) If that's correct, ...
> They are allowed direct login to these
> ID's, [...]
> [...] even though there is no direct login
> to the ID's [...]
I'm confused.
> We are required by our security group [...]
Apparently, you need to pursue this problem
with them. I know nothing, but I suspect
that any scheme which allows a user with an
expired password to log in would be a _real_
security problem. (Which is different from
an intentional service disruption caused by
a lame policy decision made by "our security
group".)
If no one actually uses a password to log in
as one of these Admin users -- passwordless
SSH connections only -- then I would think
that "our security group" could set
complex/random passwords for them, passwords
which are known to no one. Then, who could
care if they ever expire? And if long-life
passwords are still considered a problem,
even if no one actually uses (or even knows)
them, then let "our security group" change
them whenever it wants to, so long as it
doesn't ever let them expire.
If "our security group" is not entirely
populated by morons, then it should be
possible to agree on a policy which satisfies
any rational security requirements while
allowing necessary work to get done. In some
cases of nonsensical policies, there may be
no technical solution. The real mystery here
is what "our security group" is expecting to
achieve by having these passwords expire.
Especially if no one is actually using them.
Alternatively, one might be able to extract
the password expiration date from the
authorization data base, and run a "cron"
job which automatically sends increasingly
nasty e-mail messages to "our security group"
as password expiration dates grow nigh.
Sometimes a non-technical ("social
engineering") solution can substitute for a
technical solution. (Or, ideally, educate
"our security group" regarding the benefits
of a more enlightened policy.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО10-14-2010 02:05 PM
тАО10-14-2010 02:05 PM
Re: ssh and using Authorized Keys File ??
.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP