On Wednesday 09 October 2002 01:06 pm, Trevor Cushen wrote:
> Andre sent stuff on Expect which would solve the RSA problem but then I
> would have a user id and password in a script. I could protect that
> file to the user only I suppose. (Many thanks Andre)
<snip>
> The site also claims they can convience the server to switch to ssh1 if
> ssh2 is in place. Therefore the RSA is a good idea?!?! The latest
DSA keys are only supported by SSH v2 (from my understanding). Further more,
ssh won't even use the key unless it's protected from all other users. You can
even passphrase the key and use ssh-agent, but requires some user
intervention on restart.
> version and configure it to only ssh2 is not really an option as the
> latest version is not available for all the machine and OS in use.
Thats surprising w/ this list... from openssh.org/portable.html -AIX, HP-UX,
Irix, Linux, NeXT, SCO, SNI/Reliant Unix, Solaris, Digital Unix/Tru64/OSF,
MacOS X, Cygwin (This covers all windows)
The biggest argument is that it won't require hardly any changes to your
customers scripts. From the man page:
DESCRIPTION
ssh (SSH client) is a program for logging into a remote machine and for
executing commands on a remote machine. It is intended to replace rlogin
and rsh, and provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and arbitrary
TCP/IP ports can also be forwarded over the secure channel.
I understand most of your arguments, but think of this... Anything can be
broken, but this way instead of just plugging in an sniffing to get a
password they will have to compromise a box, get around file security to get
the keys, and even then have a problem because on the server authorized keys
are bound to user@system.
Also, you don't make and distribute keys for each and every server! For
example: usera on servera needs access to userb on serverb. You create a dsa
key for usera, use the ssh-copy-id (or do it manually) to give him access to
userb. If he needs root access and you wana be anal, then give usera access
to nobody on serverb, and give user nobody sudo access to whatever he needs.
Either way, good luck!
Jason B.
