Re: perl & ssh

I can't see why you need ssh if you don't want to have passwords...

To me this looks like giving to a third party the possibility to login remotely to another server doing whatever they want. And the nice bit is that the third party can't even be eavesdropped :-)

I'm not criticizing your choice, you might have good reasons to do it (very good reasons, I hope), but at this point you can simplify your life and use Net::Rexec or similar, keeping your keys safe with a password (because you might use them for other connections as well).

Happy remote execution! (No pun intended)

-- TMTOWTDI

Comment on Re: perl & ssh

Replies are listed 'Best First'.
Re: Re: perl & ssh by c (Hermit) on Aug 16, 2001 at 18:22 UTC
Fellow monks! Lets not get confused between using public key authentication to enter a machine and having no passwords. The public key authentication is just as secure as the originating account. Keep in mind that in order to ssh into the remote machine the account on the far end needs to have the originating user's identity.pub in their authorized_keys file. Rather than using passphrases, you're using key exchange as authentication. Its still considered very secure. If any other user attempts to ssh into the remote machine, they will still be prompted for a username/passphrase pair. The risk you run is letting someone else get your public key. However, protecting it is fairly easy and no less complicated than choosing a good password that you don't keep under your mousepad on a sticky note. You may want to check out Univ. of Michigan's documentation on exactly what we're talking about and the risks associated with it. As far as Rexec goes, I dont believe that Rexec is encrypted traffic, which, if we're nitpicking, would cause most infosec people to gasp out loud. Sure it can be encrypted just like rsync using ssh as the transport. So why not just use ssh to begin with? To the original poster, if you need the user logging in to the remote box to issue superuser level commands, you might want to look into using sudo. Here is a pretty good and complete guide on using it. Once you get into this arena, you will also need to be careful about what sudo permission you allow the account that ssh's into the machine, so you're back to square one when it comes to planning your security measures, but so goes the business. I read that Security and Convenience are inversely proportional. You'll have to be the one to decide where you draw the line at convenience and sleeping well at night. humbly -c	[reply]
Re: Re: Re: perl & ssh by vaevictus (Pilgrim) on Aug 16, 2001 at 19:13 UTC
It's a shame i'm limited to give you only ++. :) honestly. Some responses need a (rep++)++ option. :)	[reply]
Re: Re: perl & ssh by mr_mischief (Monsignor) on Aug 16, 2001 at 18:33 UTC
I can't see why you need ssh if you don't want to have passwords... To me this looks like giving to a third party the possibility to login remotely to another server doing whatever they want. And the nice bit is that the third party can't even be eavesdropped :-) This is true only so long as the third party already has access to your account on the local machine. If they do, chances are a keylogger wouldn't be too hard a thing to use in case you weren't using public key encryption to authenticate to another box. That way, they still have access, and you are none the wiser. Besides, ssh logs pretty thoroughly. If you don't trust public key encryption, remember never to trust SSL or TLS on a web site. Secure shell is no different. Chris	[reply]
Re: Re: perl & ssh by Anonymous Monk on Aug 16, 2001 at 18:20 UTC
Hi Trantor, Sorry, forgot to mention that the web page is passwd protected and limited to only few users. I'm doing all this within intranet and our security team strongly suggests us using ssh/scp/sftp for any interaction between different servers. I'm now looking at he net::rexec stuff, the reason I would need to run as root is that other department has deamons running on the server which they own and I'm trying to offer them access to the box remotely and only allow to start/stop certain deamons. sudo would've been another solution but I would like to do it perl-way, not very good at it yet but will try my best and see how it will go. Thanks!	[reply]