[X2Go-Dev] X2Go-Dev Digest, Vol 58, Issue 7

[Stefan Baur]

Am 11.10.2013 15:33, schrieb Madog:
> Thanks so much for the ping back….my sense is while what you are suggesting is "the right way", it's not practical for our user base (i.e., to ask them to generate an ssh key, email etc.).

I will leave answering your other questions to the more qualified list 
members.
What on earth are you doing, though, that your users are unable to 
create their own private key?
You can use PuTTYgen or the cygwin suite on Windows, and possibly script 
the whole issue so your users only have to double-click on an installer 
icon.
And for Linux and MacOS (since it is Unix-based as well), scripting is 
even easier, I'd say.

Remember, as soon as someone else (That includes you as the admin! Your 
users' private key files are none of your business!) has access to the 
private key file, it is not safer than a traditional password-based 
login. Security is even worse, actually, as a password change on the 
user's keyfile by himself doesn't propagate back to the additional 
copies. Whoever gets a hold of a key file and manages to guess/crack the 
password on it, has eternal access to the system where the matching 
public key file is installed, no matter how often the legitimate user 
changes his password afterwards.

So why go through the extra hassle of creating a keyfile when you break 
security again right afterwards? Use a traditional password-based login 
(X2Go supports it) and that's it.


-Stefan