LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Set up remote access in UNIX through OpenSSH (developerWorks)

Set up remote access in UNIX through OpenSSH (developerWorks)

Posted Feb 17, 2007 6:12 UTC (Sat) by k8to (subscriber, #15413)
In reply to: Set up remote access in UNIX through OpenSSH (developerWorks) by ldarby
Parent article: Set up remote access in UNIX through OpenSSH (developerWorks)

While ssh-agent is a great solution for a lot of purposes, it's often not good enough for automation tasks.

Automation often requires that the automated task will continue to work after a reboot or similar, and thus ssh-agent will only work if you store the passphrase on-disk, in a script, etc. It is likely that this is security-equivalent to a blank passphrase, as the key-file is locally-stored and encrypted anyway. I think a blank passphrase is appropriate in some cases. You do gain limited advantages in security over an unencrypted, unauthenticated link, and the blank passphrase reminds you of the limitations.

Certainly you need to consider whether ssh-agent OR blank passphrases are acceptable security risks in your environment.

Thanks for ssh-copy-id. I never knew.

(Log in to post comments)

Set up remote access in UNIX through OpenSSH (developerWorks)

Posted Feb 17, 2007 22:51 UTC (Sat) by rasjidw (subscriber, #15913) [Link]

If using a blank passphrase for remote automated administrative functions, one can also use the command="command" option in the authorized_keys file to enforce that the given key is only used to run that command, and no other. See man sshd for details.

Set up remote access in UNIX through OpenSSH (developerWorks)

Posted Feb 19, 2007 20:36 UTC (Mon) by dtucker (subscriber, #6575) [Link]

> use the command="command" option in the authorized_keys file

You can also use the "from=" key option to restrict where the key can be used from. This makes a stolen key less useful as you need to spoof the source address too; depending on your network this can be anywhere between only a bit more difficult (if you own a box on the same subnet as the real source) to impossible (if you're on the other side of a firewall with strong anti-spoofing policies).

Set up remote access in UNIX through OpenSSH (developerWorks)

Posted Feb 19, 2007 8:55 UTC (Mon) by busybits (guest, #43397) [Link]

Automation tasks made with expect scripts work no matter if you reboot or not. You can use them for both ssh and scp. --Ann

Set up remote access in UNIX through OpenSSH (developerWorks)

Posted Feb 19, 2007 21:39 UTC (Mon) by muwlgr (guest, #35359) [Link]

They work, as everything else, either with passphrase-less keys, or with passphrase stored somewhere in clear or decipherable format.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds