Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Per-user public key/password selection possible?

from [Darren Tucker] Network Security [Permanent Link]
Subject: Re: Per-user public key/password selection possible?
Date: Wed, 02 Nov 2005 21:33:31 +1100
Bjorn Steensrud wrote:
On a HP-UX 11 system we have an account that was created by a script, with a locked account - i.e. a "*" in /etc/password to prevent logging in to this account with password authentication. Could it still be possible to log in with ssh using pubkey authentication? We don't want to set the global policy to pubkey only. 

Depends on which ssh implementation you're using and you didn't specify.

OpenSSH, for example, checks specifically for whatever the underlying OS uses to indicate a locked account. On HP-UX, that's a string of "*" in the password field. That means that if you use something else in the password field that doesn't constitute a valid encrypted password then it won't be considered locked, but no password authentication will work.

Solaris has a specific string "NP" which is useful for this. I don't know if HP-UX has something equivalent, but if it doesn't then "NP" or "**" should be OK as long as the native utilities don't do anything silly.

The alternative is to just set the account's password to something random and then forget what it is :-)

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  how to trace all users connection except some users, Andrea Cucciarre' - Sun Microsystems - Italy
Next by Date:  Re: SFTP, Robert Hajime Lanning
Previous by Thread:  Re: Per-user public key/password selection possible?, Greg Wooledge
Next by Thread:  denyhosts.py, Hal Sails
Indexes:  [Date] [Thread] [Top] [All Lists]