On Tue, 30 Aug 2005, Brian Chrisman wrote:
Ben Johnson wrote:
Hey.
I had a question during the ssh talk given a while ago. (2-3 months?)
Something like... "what's the alternative to a password-less ssh key
for automating multi-host maintenance?" It never quite got answered.
The issue is coming up for me again today. :) What do I do?
Do you mean 'passphrase-less'?
You can use the ssh agent stuff to hold yer decrypted ssh keys in memory, and
provide them as necessary for authentication... that way you only have to put
in yer pass phrase once per session (which, I think, can be defined multiple
ways).
As Brian stated, ssh-agent's will only hold your passphrase for a session
-- once you logout it's gone. This really affects scripting, becuase you
will have to have user interaction with the system at some level (entering
the passphrase).
Why not have a passphrase-less ssh key? Well... it breaks the public key
crytography. If you don't require a passphrase there is no way to
validate that the connecting user is who they say they are (I'm sure you
understand this, but for the rest of the community...). For more info on
PKC goto:
http://http://en.wikipedia.org/wiki/Public_key_cryptography
I don't know of a way around passphrase-less login using SSH for
scripting. Perhaps there is a method for using certificates to identify
individual machines, or something similar. If you're transfering files
you could setup a VPN.
- Sebastian
_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug
