On Tue, 2005-08-30 at 20:06 -0700, Ben Johnson wrote: > On Tue, Aug 30, 2005 at 05:55:50PM -0700, Brian Chrisman wrote: > > Ben Johnson wrote: > > > > >Hey. > > > > > >I had a question during the ssh talk given a while ago. (2-3 months?) > > >Something like... "what's the alternative to a password-less ssh key > > >for automating multi-host maintenance?" It never quite got answered. > > >The issue is coming up for me again today. :) What do I do? > > > > > > > > > > > Do you mean 'passphrase-less'? > > You can use the ssh agent stuff to hold yer decrypted ssh keys in > > memory, and provide them as necessary for authentication... that way you > > only have to put in yer pass phrase once per session (which, I think, > > can be defined multiple ways). > > word... phrase... one has spaces in it... ;) > > I'm familiar with ssh-agent. somewhat anyway. I typically login at a > virtual terminal, run 'exec ssh-agent bash' then 'exec startx'. this > little bit of experience leads me to believe I have a couple problems: > > - using ssh-agent doesn't free me from having to enter a passphrase, > which is problematic as I can't be sure that I'll available when the > system reboots. > > - I'm wanting to run these scripts that do that connecting from cron > jobs. I thought ssh-agent can only be used by children of ssh-agent. > isn't that right? would I have to run crond as a child of ssh-agent? > > - is it possible to start an ssh-agent process on a server then let it > run unattended and without leaving it attached to some tty? > > > The only problem I have with a passphrase-less ssh key is the chance > that someone will crack the machine, get a hold of the key and use it to > crack into more machines. The security issue is why I only create them > on well protected machines. I think I prefer this problem/risk to what > I understand, so far, is the alternative. > > - Ben >
I think the ideal solution to this problem is using ssh public/private key pairs. I use it all the time for remote backups via rsync. You can even script logins for automating maintenance tasks on multiple hosts... If you are worried about the security of someone getting on your box and stealing your private keys, well they are already on your box, and therefore have your local passwords. Hopefully you don't use the same passwords for all of your boxen! You can probably rest easiest with this approach if you are automating jobs on non-public systems. You can also limit your trusted-host access/authentication to a particular host, say only the one with your private key. - Colin -- # emerge freedom # emerge religion # emerge war Segmentation fault. : war illegally accessed religion at memory address 0x077A (1914), 0x0793 (1939), 0x07D5 (2005). religion terminated to prevent kernel panic. : freedom process has been backgrounded and scheduled for termination during next scheduler cycle. _______________________________________________ RLUG mailing list [email protected] http://lists.rlug.org/mailman/listinfo/rlug
