Sponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Set up remote access in UNIX through OpenSSH (developerWorks)Set up remote access in UNIX through OpenSSH (developerWorks)Posted Feb 16, 2007 23:26 UTC (Fri) by ldarby (guest, #41318)Parent article: Set up remote access in UNIX through OpenSSH (developerWorks)
While I applaud IBM for advocating OpenSSH over eg. rsh or telnet, they missed a couple of points.
1. To avoid typing in the passphrase each time, he uses a blank passphrase which is horribly insecure. To avoid that, use ssh-agent which holds your keys for you, and is slightly more secure.
2. To copy your identity to a new machine, there is already ssh-copy-id, there's no need to go and re-implement it.
Ok, to be honest I found out about these 2 points about 6 years after I first started using ssh, I just want everyone to be aware of them...
(Log in to post comments)
ssh-copy-id Posted Feb 17, 2007 4:52 UTC (Sat) by socket (subscriber, #43) [Link] Thanks! I just learned about ssh-copy-id. Much appreciated. :)
Set up remote access in UNIX through OpenSSH (developerWorks) Posted Feb 17, 2007 6:12 UTC (Sat) by k8to (subscriber, #15413) [Link] While ssh-agent is a great solution for a lot of purposes, it's often not good enough for automation tasks.
Automation often requires that the automated task will continue to work after a reboot or similar, and thus ssh-agent will only work if you store the passphrase on-disk, in a script, etc. It is likely that this is security-equivalent to a blank passphrase, as the key-file is locally-stored and encrypted anyway. I think a blank passphrase is appropriate in some cases. You do gain limited advantages in security over an unencrypted, unauthenticated link, and the blank passphrase reminds you of the limitations.
Certainly you need to consider whether ssh-agent OR blank passphrases are acceptable security risks in your environment.
Thanks for ssh-copy-id. I never knew.
Set up remote access in UNIX through OpenSSH (developerWorks) Posted Feb 17, 2007 22:51 UTC (Sat) by rasjidw (subscriber, #15913) [Link] If using a blank passphrase for remote automated administrative functions, one can also use the command="command" option in the authorized_keys file to enforce that the given key is only used to run that command, and no other. See man sshd for details.
Set up remote access in UNIX through OpenSSH (developerWorks) Posted Feb 19, 2007 20:36 UTC (Mon) by dtucker (subscriber, #6575) [Link] > use the command="command" option in the authorized_keys file
You can also use the "from=" key option to restrict where the key can be used from. This makes a stolen key less useful as you need to spoof the source address too; depending on your network this can be anywhere between only a bit more difficult (if you own a box on the same subnet as the real source) to impossible (if you're on the other side of a firewall with strong anti-spoofing policies).
Set up remote access in UNIX through OpenSSH (developerWorks) Posted Feb 19, 2007 8:55 UTC (Mon) by busybits (guest, #43397) [Link] Automation tasks made with expect scripts work no matter if you reboot or not. You can use them for both ssh and scp. --Ann
Set up remote access in UNIX through OpenSSH (developerWorks) Posted Feb 19, 2007 21:39 UTC (Mon) by muwlgr (guest, #35359) [Link] They work, as everything else, either with passphrase-less keys, or with passphrase stored somewhere in clear or decipherable format.
|
|||||||||||