on Fri, Jul 22, 2005 at 10:01:32AM -0500, Jay Strauss ([EMAIL PROTECTED]) wrote: > > >No. > > > >The authentication is handled by SSH using the public/private keypair. > >The system password itself isn't involved in the authentication at all. > > > >It's possible to have users whose remote passwords are unknown or > >disabled by this method. This is the case for a number of remote hosts > >I access regularly. > > > > > >Peace. > > > > Karsten, I apologize, I didn't realize I hadn't responded. Thanks for > all the info. > > I think you are talking about passwordless authentication,
It's not "passwordless", which is a description of negation. It is possible to set up accounts and SSH-keys without passwords or passphrases. Naturally, this is highly insecure. Rather, this is SSH-key authorization, based on PKI (public-key infrastructure). Two keys, halves of a pair, one public, one private, used for cryptographically secure authentication. > ie public/private keypair, where once it's setup, all I have to do is > logon to boxA then can ssh to boxB without typing a password. Nearly. The SSH-key authentication allows you to authenticate with a token other than your password. Normally you create a *passphrase* to secure your SSH key. A program called 'ssh-agent' can supply this passphrase on request to any program requesting it, allowing you to then access and/or run commands on remote systems without having to enter a password each time. You _do_ need to initially supply the passphrase to ssh-agent. - Generate your key as I've said. - Copy the *public* key to the remote host. - Ensure you're running ssh-agent locally. For most current GNU/Linux distros, if you're running X, the session itself runs under ssh-agent, meaning all processes launched under the session will have access to the agent. This is specified by a couple of environment variables, e.g.: SSH_AGENT_PID=6341 SSH_AUTH_SOCK=/tmp/ssh-YTUqYA3655/agent.6535 - Feed the agent your *passphrase*. This secures your *key*, it need not be the same as either local or remote passwords, and should ideally be different. - Access your remote system: ssh remotehost You won't be prompted for a password. > I've done this on a number of my boxes (currently and in the past). > > I didn't realize that PasswordAuthentication was related to the above. It's not, directly. However, as a security measure, you can disable password authentication on boxes being accessed remotely, to ensure that SSH-key authentication is *always* used. > I thought you were telling me that when this is set to "no" then I still > type my password, then some magic happens, and I login to the remote box > but I never send my password down the line. No. If "PasswordAuthentication no" is set in /etc/ssh/sshd_config, on the remote host, then you *must* use another method, and my understanding is that this limits you to SSH-passkey. Your remote password (tunneled and encrypted or not) *won't* work. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Information is not power after all: Old-fashioned power is power. If you aren't big industry or government, you have very little power. Once they've hacked the electronic voting system, you'll have no power at all. - Robert X. Cringely
signature.asc
Description: Digital signature
_______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech