RE: Setting up SSH to execute commands remotely (without passwords)

even without taking the risk of leaving your private key unprotected by a passphrase, it is possible to get unattended logins using SSH with the public key method by using the ssh_agent program.

ssh_agent allows you to leave your private key encrypted on disk by prompting you for your passphrase when run and keeping it in mlock'd memory (i think) to provide to SSH whenever it is necessary to decrypt your private key from disk. this is not considerably more secure than the empty passphrase method while the ssh-agent has your passphrase in memory, but it is equally secure to a plain passphrase/private key login when the agent does not have the passphrase in memory.

with this in consideration, many people run ssh_agent from their .login or .Xclients file to start it up as soon as they log in. it takes their passphrase immediately and acts from then on as if the private key is not protected (i.e. they are not prompted every time they need to use the key, ssh_agent supplies it instead).

Comment on RE: Setting up SSH to execute commands remotely (without passwords)

Replies are listed 'Best First'.
RE: RE: Setting up SSH to execute commands remotely (without passwords) by gryng (Hermit) on Jul 07, 2000 at 07:56 UTC
Ah well you learn something new everyday. ssh-agent sounds good for a lot of uses. However, I do not think it would buy much in what I'm guessing is Pearte's situation. He suggests that this will be most likely (and hopefully) run by a separate non-human userid. As long as you give that account the minimum security permissions (as you do with all of your accounts anyway, right? :) ), then ssh with empty password'ed keys should be as secure as you need. But thanks mdillon for pointing that out!!! :) Ciao, Gryn	[reply]

Replies are listed 'Best First'.

RE: RE: Setting up SSH to execute commands remotely (without passwords)
by gryng (Hermit) on Jul 07, 2000 at 07:56 UTC

Pearte

all

[reply]