On Tue, 30 Aug 2005, Colin Corr wrote:
On Tue, 2005-08-30 at 20:06 -0700, Ben Johnson wrote:
On Tue, Aug 30, 2005 at 05:55:50PM -0700, Brian Chrisman wrote:
Ben Johnson wrote:
Hey.
I had a question during the ssh talk given a while ago. (2-3 months?)
Something like... "what's the alternative to a password-less ssh key
for automating multi-host maintenance?" It never quite got answered.
The issue is coming up for me again today. :) What do I do?
Do you mean 'passphrase-less'?
You can use the ssh agent stuff to hold yer decrypted ssh keys in
memory, and provide them as necessary for authentication... that way you
only have to put in yer pass phrase once per session (which, I think,
can be defined multiple ways).
word... phrase... one has spaces in it... ;)
I'm familiar with ssh-agent. somewhat anyway. I typically login at a
virtual terminal, run 'exec ssh-agent bash' then 'exec startx'. this
little bit of experience leads me to believe I have a couple problems:
- using ssh-agent doesn't free me from having to enter a passphrase,
which is problematic as I can't be sure that I'll available when the
system reboots.
- I'm wanting to run these scripts that do that connecting from cron
jobs. I thought ssh-agent can only be used by children of ssh-agent.
isn't that right? would I have to run crond as a child of ssh-agent?
- is it possible to start an ssh-agent process on a server then let it
run unattended and without leaving it attached to some tty?
The only problem I have with a passphrase-less ssh key is the chance
that someone will crack the machine, get a hold of the key and use it to
crack into more machines. The security issue is why I only create them
on well protected machines. I think I prefer this problem/risk to what
I understand, so far, is the alternative.
- Ben
You can even script logins for automating maintenance tasks on multiple
hosts...
In what way is this more secure than passphrase-less logins? And, why use
this technique over passphrase-less logins? This comes back to my
arguement about user interaction -- it's the "security" layer of PKC. If
you remove the user interaction you may as well remove the passphrase, as
your level of confidence should be the same.
- Sebastian
_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug
