OT: ssh between linux and sco unix

Fairlight fairlite at fairlite.com
Sat Dec 12 09:44:26 PST 2009


You'll never BELIEVE what Tom Aldridge said here...:
> No Fedora is not hanging onto an old standard... The ~/.ssh directories 
> of any no-password-ssh accounts each have an authorized_keys file, not 2.

Ok.

> Now I am not sure why I suggested in the one example to use 
> authorized_keys2. It just seems to me that I've had more than one 
> occassion when setting this up to a box that I didn't control, that I 
> had to place the key into authorized_key2 to get the darn thing to work. 
> Like the other day in setting up with windows-->web hoster backup server 
> thing I referred to.

I think that's called "tossing solutions that might work at a problem that
you don't fully understand".

People do this all the time.  Sometimes it works by luck (ie., in this
case, you have an older installation of openssh that recognises
authorized_keys2 and get lucky).  Sometimes it doesn't work but is harmless.
And other times...well, other times people throw random fixes at things out
of desperation and it costs them a few hundred to $1k+ to get not only a
working solution, but to get the mess they created sorted out.

I didn't really comment previously, other than to wonder why you'd be
suggesting a file that no current documentation suggests exists (unless
manually set to be relevant).  But all along I've had the feeling that
you've been tossing a solution at this problem (and some of your own
problems) without fully understanding what you're doing.

I'm not insulting you, I'm telling you (and anyone that would do the same)
to be careful.  "Fixing" things without understanding what you're doing can
have some nasty (and sometimes expensive) side effects.

Someone I do work for screwed up a virgin samba installation on an OpenSuSE
box -so- badly and -so- obscurely that it took 5hrs just to find out what
the heck they mangled.  Then it took 30 seconds to actually do correctly
what they tried to "fix" the first time.  All because they didn't actually
understand how the subsystem works, a $100 charge turned into a $500 charge.
Then he wanted to dispute the cost, blame the OS, and any odd number of
things--none of which flew with me.

Key point being that that's a prime example of someone "fixing" something
without knowing what they're doing, with unfortunate and costly side
effects.

BTW...the reason I didn't initially recognise authorized_keys2 as -ever-
being a valid file is because...  PuTTY's developer refused to do DSA
(version 2) for a while, citing security issues.  I therefore personally
avoided version 2 for quite some time, deferring to his cryptological
expertise over my own.  Eventually I switched to version 2 when my ISP
mandated a full change and banned version 1.  By that time, DSA keys were
allowed in the same authorized key file as RSA keys, so I'd never seen
documentation to the contrary because I missed dealing with DSA through
that entire period of time where they were segregated.  That's why I had to
look up the history of that file when the docs came up blank.

But I -did- look it up...which is something one should do if you're being
careful about how you fix things.

But it's "your" (ie., anyone's that tries [semi-]random fixes) dime if you
want to do it the risky way.  I just don't like to see the risky way being
advocated as a blanket solution.

mark->
-- 
Audio panton, cogito singularis,


More information about the Filepro-list mailing list