Re: [SLUG] SSH hint required

2000-12-21 Thread Conrad Parker 

take it offline, fellas.

Merry Christmas to all, be nice to each other -- avoid scriptkiddies,
flamewars, and scooters flimsier than your forearm.

Conrad.

On Fri, Dec 22, 2000 at 01:24:13PM +1100, Crossfire wrote:
> - Original Message -
> From: "Mikolaj J. Habryn" <[EMAIL PROTECTED]>
> To: "Crossfire" <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Friday, December 22, 2000 12:07 PM
> Subject: Re: [SLUG] SSH hint required
> 
> > > ... You're one of David's friends, aren't you?
> >
> > You know... that's really depressing.
> 
> I take it thats a yes...  It kinda clicked when I saw the rcpt.to...
> 
> In case he's mentioned me... I'm Chris.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread Crossfire 

- Original Message -
From: "Mikolaj J. Habryn" <[EMAIL PROTECTED]>
To: "Crossfire" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, December 22, 2000 12:07 PM
Subject: Re: [SLUG] SSH hint required

> > ... You're one of David's friends, aren't you?
>
> You know... that's really depressing.

I take it thats a yes...  It kinda clicked when I saw the rcpt.to...

In case he's mentioned me... I'm Chris.

> > The concept is evil and distincitvely scary.  Theres been lots of noise
> > about agent - I don't use it on the principle that enough [knowledgable]
> > people have made LOTS of noise about it.
>
> I'm normally one of them, believe me :) ssh-agent, much like every other
> network access tool, is a compromise between security and convenience.
> Sometimes it's worth it, sometimes it isn't.

I have a rather hardline attitude towards only sacrificing security if its
needed for functionality - convenience is just an excuse to be lazy ;)

--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread J. 

I suspect the OP wasn't that interested in the philosophy of ssh, but
what the hell. It's a slow day.

On 22 Dec 2000 11:42:34 +1100, Crossfire wrote:
> Null passphrases are the answer.  For automated connections, its pretty much
> the only answer.

That I will grant you. But I thought the original question was about a
script that was manually invoked, and just happened to perform a lot of
sshes? Very different security semantics, I would have thought. An
automated identity would have a variety of restrictions in the
authorized_keys file. In the given example, you'd have an identity that
could only run 'df', as unprivileged user, from a specific machine.
That's great for some situations, and totally useless for reducing the
number of times you type in your passphrase in the course of a normal
day.

> ... You're one of David's friends, aren't you?

You know... that's really depressing.

> The concept is evil and distincitvely scary.  Theres been lots of noise
> about agent - I don't use it on the principle that enough [knowledgable]
> people have made LOTS of noise about it.

I'm normally one of them, believe me :) ssh-agent, much like every other
network access tool, is a compromise between security and convenience.
Sometimes it's worth it, sometimes it isn't.

m.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread Crossfire 

- Original Message -
From: "Mikolaj J. Habryn" <[EMAIL PROTECTED]>
To: "Crossfire" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, December 22, 2000 11:20 AM
Subject: Re: [SLUG] SSH hint required


> On 22 Dec 2000 10:45:42 +1100, Crossfire wrote:
> > uh, the ssh and sshd manpages document `authorized keys'.
>
> Which don't solve the problem of having to type in passwords for each
> connection, unless you use null passphrases.

Null passphrases are the answer.  For automated connections, its pretty much
the only answer.

> > > man ssh-agent
> > >
> > > PS: Yes, this is a Better Way.
> >
> > No it isn't.
> >
> > ssh-agent has been responsible for a number of security problems over
the
> > years.  I don't/won't use it for that reason.
>
> Name three - remotely exploitable only, please. Complaining about past
> local exploits when the alternative is unpassworded identities just
> boggles my mind. Or do you mean that the concept is absolutely
> terrifying and there damn well *should* have been more security problems
> with it? If so, I absolutely agree, which is why I wrote keymgr (
> http://www.rcpt.to/keymgr/ ).

... You're one of David's friends, aren't you?

The concept is evil and distincitvely scary.  Theres been lots of noise
about agent - I don't use it on the principle that enough [knowledgable]
people have made LOTS of noise about it.  I'll admit that I haven't seen
them - but given it was Tridge who was advocating against it (IIRC), I'll
happily stay clear, and pass on the recommendation.



--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread J. 

On 22 Dec 2000 10:45:42 +1100, Crossfire wrote:
> uh, the ssh and sshd manpages document `authorized keys'.

Which don't solve the problem of having to type in passwords for each
connection, unless you use null passphrases.

> > man ssh-agent
> >
> > PS: Yes, this is a Better Way.
> 
> No it isn't.
> 
> ssh-agent has been responsible for a number of security problems over the
> years.  I don't/won't use it for that reason.

Name three - remotely exploitable only, please. Complaining about past
local exploits when the alternative is unpassworded identities just
boggles my mind. Or do you mean that the concept is absolutely
terrifying and there damn well *should* have been more security problems
with it? If so, I absolutely agree, which is why I wrote keymgr (
http://www.rcpt.to/keymgr/ ). 

m.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread Crossfire 

- Original Message -
From: "Mikolaj J. Habryn" <[EMAIL PROTECTED]>
To: "Peter Rundle" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, December 22, 2000 10:22 AM
Subject: Re: [SLUG] SSH hint required


> On 22 Dec 2000 08:21:11 +1100, Peter Rundle wrote:
>> Can someone enlighten me as to how this might work in regards to the
>> login password? Is there some certificate or something that you can
>> store on the box running the script the holds the passwords for each
>> machine a .sshrc file or something? man ssh didn't help much.

uh, the ssh and sshd manpages document `authorized keys'.

> man ssh-agent
>
> PS: Yes, this is a Better Way.

No it isn't.

ssh-agent has been responsible for a number of security problems over the
years.  I don't/won't use it for that reason.

--==--
  Crossfire  | This email was brought to you
  [EMAIL PROTECTED] | on 100% Recycled Electrons
--==--




-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread J. 

On 22 Dec 2000 08:21:11 +1100, Peter Rundle wrote:
> Can someone enlighten me as to how this might work in regards to the
> login password? Is there some certificate or something that you can
> store on the box running the script the holds the passwords for each
> machine a .sshrc file or something? man ssh didn't help much.

man ssh-agent

m.

PS: Yes, this is a Better Way.


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread Howard Lowndes 

If you are using RSA keys and have the password requirement set on for the
RSA key, then you will be prompted for the RSA key to unlock your private
key for each server as it is accessed.  In this case the password will be
the same for all servers as it is not server specific but is tied to your
private ssh key.

If you are using the password for the server then you will be prompted for
the account password relevant to each server and need not necessarily be
the same for each server.

If you do not have a password set for your RSA private key then there will
be no prompt for passwords.  This is a security hole unless you can
guarantee the security of your workstation that contains your private key.

-- 
Howard.

LANNet Computing Associates 
   "...well, it worked before _you_ touched it!"

On Fri, 22 Dec 2000, Peter Rundle wrote:

> Sluggers,
>
> I've been given a script that looks like this
>
>   for i in server1 server2
>   do
> ssh -l admin $i "df"
>   done
>
>
> Can someone enlighten me as to how this might work in regards to the
> login password? Is there some certificate or something that you can
> store on the box running the script the holds the passwords for each
> machine a .sshrc file or something? man ssh didn't help much.
>
> Thanks
>
> (Oh yeah, Merry Xmas and all that, here's to the Penguinistas!
>
> Pete
>
>
>



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Re: [SLUG] SSH hint required

2000-12-21 Thread tom burkart 

On Fri, 22 Dec 2000, Peter Rundle wrote:

> I've been given a script that looks like this
> ...
> machine a .sshrc file or something? man ssh didn't help much.
Why not? you haven't got enough experience reading between the lines :-)

>From memory:
In a section called RSA authentication...
use ssh_keygen (or was it ssh-keygen?) to generate the keys, the private
one stays on the machine with the script, the public one gets renamed and
copied to the servers you are trying to monitor in ~root/.ssh - then it
should just happen.  Please check with the manual (man ssh) for the fine
details.

tom.
Consultant

AUSSECPhone: 61 4 1768 2202
339 Blaxland Rd., Ryde NSW 2112
Email: [EMAIL PROTECTED]



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

[SLUG] SSH hint required

2000-12-21 Thread Peter Rundle 

Sluggers,

I've been given a script that looks like this

  for i in server1 server2 
  do
ssh -l admin $i "df"
  done


Can someone enlighten me as to how this might work in regards to the
login password? Is there some certificate or something that you can
store on the box running the script the holds the passwords for each
machine a .sshrc file or something? man ssh didn't help much.

Thanks

(Oh yeah, Merry Xmas and all that, here's to the Penguinistas!

Pete


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug