Moderated thread title: Poster recommends alternative method.

Story: Password-less Encrypted Connections with OpenSSHTotal Replies: 4
Author Content
timlinux

Jan 05, 2006
12:17 PM EDT
You should _not_ encourage people to use ssh without a passphrase. If someone steals your physical machine or hacks into the machine where your private key is stored, _all_ the machines where your public keys has been uploaded are immediately open to entry to the person stealing your private key!

A far better way is to use a passphrase and then use ssh-agent to cache your key for you. This gives you the convenience of passwordless authentication together with the peace of mind of knowing that if someone steals your private key they will not be able to use it without breaking your passphrase.

The simplest way to achiev secure passwordless authentication using ssh-agent is to type:

ssh-add

As soon as you log in to your X-windows session. Enter your passphrase when prompted and for the remainder of your session you will have the benifit of passwordless authentication. Don'd forget to lock your desktop session with a screensaver when leaving your pc unattended!

There is an alternative way of having passwordless auth using ssh which is useful for instances where you wish to run cron jobs and other similar tasks without having a X-session on the go. See

http://www.gentoo.org/proj/en/keychain/

For more information on using keychain.

Once again, dont follow this article's advice, its a _really_ bad idea.

Tim
tadelste

Jan 05, 2006
12:30 PM EDT
Tim: While you present a strong argument, I don't agree with your suggestion 100%.

As a sys admin, I prefer Jay's approach especially when managing a moderate to large number of machines, for mirroring, for backup, automation, etc.

If I followed your statement that "this article's advice, its a _really_ bad idea" then I'd increase my workload. Also, I don't use X Windows to do work on a number of servers.

Just one exception to an all-emcompassing rule.
timlinux

Jan 05, 2006
1:49 PM EDT
Hi

Sure, as I mentioned keychain is good for this purpose. I suppose the point is more that we should be encouraging peope to use passphrases and _not_ using them should be something that you really deliberate. i.e. using a passphrase should be the rule not the exception.

Regards

Tim
tadelste

Jan 05, 2006
2:09 PM EDT
Tim - I agree - we should encourage the use of passphases. That's what I consider the general rule, especially with the increase in web commerce, on-line banking, etc.

Thanks!
timlinux

Jan 05, 2006
2:22 PM EDT
Hi - one more thing :-)

I should also mention that you dont need X-win to use ssh-add. If you are using windows or mac as your destop OS from which you do your administration, there are putty-agent and a mac sshagent proggie that provide similar functionality.

Regards

Tim

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!