From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <overseers-return-6700-listarch-overseers=sources.redhat.com@sources.redhat.com>
Received: (qmail 7729 invoked by alias); 2 Apr 2004 19:16:18 -0000
Mailing-List: contact overseers-help@sources.redhat.com; run by ezmlm
Precedence: bulk
List-Archive: <http://sources.redhat.com/ml/overseers/>
List-Post: <mailto:overseers@sources.redhat.com>
List-Help: <mailto:overseers-help@sources.redhat.com>,
	<http://sources.redhat.com/ml/#faqs>
Sender: overseers-owner@sources.redhat.com
Received: (qmail 7721 invoked from network); 2 Apr 2004 19:16:17 -0000
Received: from unknown (HELO bosbc.com) (66.30.22.40)
  by sources.redhat.com with SMTP; 2 Apr 2004 19:16:17 -0000
Received: by bosbc.com (Postfix, from userid 201)
	id C2CD5400226; Fri,  2 Apr 2004 14:16:16 -0500 (EST)
Date: Fri, 02 Apr 2004 19:16:00 -0000
From: Christopher Faylor <cgf@alum.bu.edu>
To: "Frank Ch. Eigler" <fche@redhat.com>
Cc: overseers@sources.redhat.com
Subject: Re: Error trying to get CVS write access via web-form
Message-ID: <20040402191616.GA8205@coc.bosbc.com>
Mail-Followup-To: "Frank Ch. Eigler" <fche@redhat.com>,
	overseers@sources.redhat.com
References: <20040402161740.GH26117@redhat.com> <20040402164058.GH1144@coc.bosbc.com> <20040402164511.GI26117@redhat.com> <20040402165750.GJ1144@coc.bosbc.com> <20040402170838.GJ26117@redhat.com> <20040402172332.GA6781@coc.bosbc.com> <20040402172928.GL26117@redhat.com> <20040402174003.GA7172@coc.bosbc.com> <20040402180558.GA7424@coc.bosbc.com> <20040402181529.GM26117@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20040402181529.GM26117@redhat.com>
User-Agent: Mutt/1.4.1i
X-SW-Source: 2004-q2/txt/msg00019.txt.bz2

On Fri, Apr 02, 2004 at 01:15:30PM -0500, Frank Ch. Eigler wrote:
>>[...]
>>Is there a way to get ssh to tell us if the key looks right?  That's
>>probably the best way to verify keys.  [...]
>
>Or an even tougher-love approach would be to force new account holders
>to log in using the putative key within some time limit after initial
>account activation, to prove they hold a matching private key.

Yeah, a secondary verification step might be nice.

"ssh-keygen -l" does seem to do the job.  The only challenge is the
necessity of creating a temp file.  I hate that.  I tried using the
standard work around of passing the key file in a pipe and using
/proc/self/fd/0 but ssh-keygen is way too clever to allow that.

Anyway, now it's back to real work for me.  I'll look at this more
tonight.

cgf