On 13 Oct 2002, Peter Kiem wrote:
> I have rsa2 SSH logins running now. I can see this is a great idea as
> even if the attacker KNOWS your root password they STILL cannot get in
> without your private rsa key, right?
That's sort of correct. Root can, in fact, connect to an existing
ssh-agent s
Hi all,
I have rsa2 SSH logins running now. I can see this is a great idea as
even if the attacker KNOWS your root password they STILL cannot get in
without your private rsa key, right?
Is there some way to make it easier to run ssh-agent? I was trying to
put the eval `ssh-agent'; ssh-add into
> wrong ! With the public key and the root password known,
> and files appropriately configured, the "attacker" won't
> be prompted for a password.
>
> If the root password is known in any senario then "is all over" !
Can you clarify what you mean here?
If you force key
> If you have it set up like A -> B where A is your workstation and B is
> your server so that A has your private key and B has your public key
> what happens if you now want to log into another remote server C (A -> B
> -> C)?
Use agent forwarding. It will forward your key authentication-challe
On 13 Oct 2002, Peter Kiem wrote:
> Hi all,
>
> I have rsa2 SSH logins running now. I can see this is a great idea as
> even if the attacker KNOWS your root password they STILL cannot get in
> without your private rsa key, right?
wrong ! With the public key and the root password known
> > Again, only if you create keys that have no passphrase.
>
> If you are using keys, you only need to fully trust your local SSH client.
A
> remote server can't compromise your public key or your passphrase, even if
> you are using the compromised server to log into other servers (and are
u
The keys should also have a password incase of such problems and it is
offered when you type ssh-keygen -t rsa.
this is so much more secure as only a host with a recognised public key
can even attempt to login.
If you only allow rsa authentication, brute force attacks are no longer
an option th
> > At least if you are using passwords they need to work out the other
> > computer's passwords before they can SSH into them?
>
> Again, only if you create keys that have no passphrase.
Also, if you are using a password to log into a server that's been
compromised, they don't need to work out
On 10/10/02 9:31 PM, "Peter Kiem" <[EMAIL PROTECTED]> wrote:
> Hi,
>
> This might seem a stupid question but I often see people recommending that
> you never log into SSH with password but rather use keys.
>
> Doesn't this create a security issue as if someone manages to break into one
> comput
you still need a passphrase to unlock the key. (99% of the time).
So even if somebody steals your private key file they still
need your passphrase to use it. It is possible to set one up
with a null passphrase, but,
not surprisingly, that is not recommended.
If someone has stolen your private key
10 matches
Mail list logo
