On Tue, 18 Jan 2000, Andreas Kotes wrote:

> 
> Hi!
> 
> On Mon, 17 Jan 2000 mcmahill@mtl.mit.edu wrote:

> > and get a prompt.  This means you need Rhosts with RSA authentication set
> > in /etc/sshd_config (the default).  However, the ssh binary needs to be
> > set to suid for this to work.
> 
> no, not really, and this is not the 'most secure' way to do this.

really?  Without changing anything else, changing the perms on the ssh
binary made the difference between RhostsRSAAuthentication working and not
working.  I'm not an expert though and I do admit I don't like suid progs.

> I don't know the software you're talking about, but using RSA host
> authentication isn't optimal. better use RSA authentication by key, and
> configure the authorized_keys on the target system to allow only
> accesses from a specific IP, executing ONLY the necessary, not allowing to
> forward any ports, and not giving a pty.
> you can avoid being asked for the passphrase of the identity by not
> setting one, but you really should only use it for this tasks and with
> this restrictions then.
> 
> consider having a closer look at the manpages of ssh(1), ssh-keygen(1) and
> sshd(8)

yes it is not optimal.  yes, please look closely at the suggested reading
if your machine is on a public network.

-Dan