On Tue, 2005-08-30 at 20:06 -0700, Brian Chrisman wrote: > Colin Corr wrote: > > >On Tue, 2005-08-30 at 20:06 -0700, Ben Johnson wrote: > > > > > >>On Tue, Aug 30, 2005 at 05:55:50PM -0700, Brian Chrisman wrote: > >> > >> > >>>Ben Johnson wrote: > >>> > >>> > >>> > >>>>Hey. > >>>> > >>>>I had a question during the ssh talk given a while ago. (2-3 months?) > >>>>Something like... "what's the alternative to a password-less ssh key > >>>>for automating multi-host maintenance?" It never quite got answered. > >>>>The issue is coming up for me again today. :) What do I do? > >>>> > >>>> > >>>> > >>>> > >>>> > >>>Do you mean 'passphrase-less'? > >>>You can use the ssh agent stuff to hold yer decrypted ssh keys in > >>>memory, and provide them as necessary for authentication... that way you > >>>only have to put in yer pass phrase once per session (which, I think, > >>>can be defined multiple ways). > >>> > >>> > >>word... phrase... one has spaces in it... ;) > >> > >>I'm familiar with ssh-agent. somewhat anyway. I typically login at a > >>virtual terminal, run 'exec ssh-agent bash' then 'exec startx'. this > >>little bit of experience leads me to believe I have a couple problems: > >> > >>- using ssh-agent doesn't free me from having to enter a passphrase, > >> which is problematic as I can't be sure that I'll available when the > >> system reboots. > >> > >>- I'm wanting to run these scripts that do that connecting from cron > >> jobs. I thought ssh-agent can only be used by children of ssh-agent. > >> isn't that right? would I have to run crond as a child of ssh-agent? > >> > >>- is it possible to start an ssh-agent process on a server then let it > >> run unattended and without leaving it attached to some tty? > >> > >> > >>The only problem I have with a passphrase-less ssh key is the chance > >>that someone will crack the machine, get a hold of the key and use it to > >>crack into more machines. The security issue is why I only create them > >>on well protected machines. I think I prefer this problem/risk to what > >>I understand, so far, is the alternative. > >> > >>- Ben > >> > >> > >> > > > >I think the ideal solution to this problem is using ssh public/private > >key pairs. I use it all the time for remote backups via rsync. > > > >You can even script logins for automating maintenance tasks on multiple > >hosts... > > > >If you are worried about the security of someone getting on your box and > >stealing your private keys, well they are already on your box, and > >therefore have your local passwords. Hopefully you don't use the same > >passwords for all of your boxen! You can probably rest easiest with this > >approach if you are automating jobs on non-public systems. > > > >You can also limit your trusted-host access/authentication to a > >particular host, say only the one with your private key. > > > > > > > Generally passphrases are best for ssh keys which are on backed-up > servers... where you don't control where the backup tapes go.. :-) > Even if you have yer keys encrypted with a passphrase, if someone roots > yer box, they can probably get yer passphrase.. etc.. :-) > > >- Colin > > Yes, exactly... use a public/private key pair to help the process of fully automating your maintenance tasks. With all that time saved, reinvest it in the more important tasks such as securing the box, and studying rootkits...
"What's worse than being owned? Not knowing it." _______________________________________________ RLUG mailing list [email protected] http://lists.rlug.org/mailman/listinfo/rlug
