Colin Corr wrote:
On Tue, 2005-08-30 at 20:06 -0700, Ben Johnson wrote:
On Tue, Aug 30, 2005 at 05:55:50PM -0700, Brian Chrisman wrote:
Ben Johnson wrote:
Hey.
I had a question during the ssh talk given a while ago. (2-3 months?)
Something like... "what's the alternative to a password-less ssh key
for automating multi-host maintenance?" It never quite got answered.
The issue is coming up for me again today. :) What do I do?
Do you mean 'passphrase-less'?
You can use the ssh agent stuff to hold yer decrypted ssh keys in
memory, and provide them as necessary for authentication... that way you
only have to put in yer pass phrase once per session (which, I think,
can be defined multiple ways).
word... phrase... one has spaces in it... ;)
I'm familiar with ssh-agent. somewhat anyway. I typically login at a
virtual terminal, run 'exec ssh-agent bash' then 'exec startx'. this
little bit of experience leads me to believe I have a couple problems:
- using ssh-agent doesn't free me from having to enter a passphrase,
which is problematic as I can't be sure that I'll available when the
system reboots.
- I'm wanting to run these scripts that do that connecting from cron
jobs. I thought ssh-agent can only be used by children of ssh-agent.
isn't that right? would I have to run crond as a child of ssh-agent?
- is it possible to start an ssh-agent process on a server then let it
run unattended and without leaving it attached to some tty?
The only problem I have with a passphrase-less ssh key is the chance
that someone will crack the machine, get a hold of the key and use it to
crack into more machines. The security issue is why I only create them
on well protected machines. I think I prefer this problem/risk to what
I understand, so far, is the alternative.
- Ben
I think the ideal solution to this problem is using ssh public/private
key pairs. I use it all the time for remote backups via rsync.
You can even script logins for automating maintenance tasks on multiple
hosts...
If you are worried about the security of someone getting on your box and
stealing your private keys, well they are already on your box, and
therefore have your local passwords. Hopefully you don't use the same
passwords for all of your boxen! You can probably rest easiest with this
approach if you are automating jobs on non-public systems.
You can also limit your trusted-host access/authentication to a
particular host, say only the one with your private key.
Generally passphrases are best for ssh keys which are on backed-up
servers... where you don't control where the backup tapes go.. :-)
Even if you have yer keys encrypted with a passphrase, if someone roots
yer box, they can probably get yer passphrase.. etc.. :-)
- Colin
_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug
