I dont like RSA without passwords caus if your machine gets compromised, the attacker would have root access to another machines in your network. When I needed automated scripting using ssh and scp I used this programming language called EXPECT, perl includes a module that implements the expect language. It goes something like this:
exec ssh myhost "commands" (could be scp myfile myhost:path) expect yes/no send yes\r expect assword send my_password Just to make the figure. It worked quite well,but if one host goes down and you dont include error exception it may get stuck in the middle of the script. Still better than keys. -----Mensagem original----- De: Trevor Cushen [mailto:[EMAIL PROTECTED]] Enviada em: terça-feira, 8 de outubro de 2002 12:24 Para: [EMAIL PROTECTED] Assunto: Is SSH worth it?? Many thanks to those that answered and all excellent answers that I will use in my argument to the customer. A few interesting points came up also. Ettercap and dsniff were mentioned and duly noted as I have used them before and should have left out the part about sniffing a switched network in my question. Another point was raised that the access needed to sniff should be removed first and foremost (Brad Arlt I think). Most definantely and it has as much as possible. Physical security to the building and any access points is quite strong. No external access connections are part of this segment of the network so external attacks getting in is a low possiblity (but yes possible I suppose so can't be ruled out) I want to go SSH and have the encryption but the work involved is hard to justify to the customer (because the work is their side, as in rewrite the scripts). The argument that Ettercap claims to break SSH must also be throw into the mix here too. I could use stunnel if I just wanted encryption???? Here is another spanner in the works and I hope I am corrected on this because I want to be wrong here. We would be using SSH and SCP. SCP for automated scripts. To get scripts automated my understanding is that the best security in this scenerio is use RSA authentication only. Thus no password request when I do 'scp host:file filedst'. But then does that mean that my SSH client will not be prompted for a password. In that case accountability is at the machine level. If I am wrong please inform me gently as I have only started looking at this in ernest. Yes I can go rhosts authentication but that defeats the purpose to a large degree as rhost files is what we want to get them away from. I am currently installing a SCO machine, Solaris machine and NT machine to set all this up and emulate the site as much as possible. I will post the final result in time. Thanks again for the feedback. Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 **************************************************************************** ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or [EMAIL PROTECTED] **************************************************************************** **
