SSH and user accounts

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I've just implemented an SSH server on OS X 10.6.3 using the built-in
OpenSSH tools.

In the process of learning about SSH I read about someone who created
a new user account on the SSH server machine purely for login
purposes, as his only interest was gaining access to forwarded ports
from the SSH server machine.

I've set up an SSH server for the purposes of remotely listening to
the iTunes library (using forwarded Service Discovery: details here: /)
contained on that machine.

Currently I log in (with DSA PPK; password authentication is disabled)
to the user account that contains my iTunes library, but I'm wondering
if it'd be a touch safer to create a dummy user purely for the
purposes of logging in.

The way I see it, this should mean that logging in would restrict
clients to accessing only files contained within that dummy user
account (ie. nothing of value), while at the same time still allowing
them access to the forwarded ports.  Is this correct?

The reason for this approach is that this way I could create a private
key on a remote machine that is not my own---eg. my parents'---and not
worry about anyone gaining access to anything vital on the server
should my parents' machine become compromised.

Have I understood it all correctly?  Are there any drawbacks to this
approach that I might not be aware of?



Site Timeline