on Thu, Jun 09, 2005 at 08:02:06PM -0400, Robert Brockway ([EMAIL PROTECTED]) wrote: > On Thu, 9 Jun 2005, Roberto C. Sanchez wrote: > > > Sadly, most people (myself included) have no passphrase on their SSH > > Hi. Using PKI with no passphrase drops the level of security > significantly (as I'm sure you know). > > > keys. I also end up bouncing aroud a variety of machines (some Fedora > > some Windows with PuTTY and some Windows with SSH.com). So the key > > thing is a pain in the but. At least on the Linux machines it is > > straightforward and I set those up when I can to use keys instead of > > passwords. > > May I introduce you to ssh-agent and ssh-add. They are a standard part of > ssh and will operate between implementations (as long as no one has broken > their implementation). > > This is the last line of my ~/.xsession file: > > ssh-agent bash -c "ssh-add < /dev/null && /usr/bin/fvwm2"
If you're starting X under Debian via a display manager (gdm, kdm, wdm, xdm, etc.), you're already running ssh-agent. Check your environment, or look at /etc/ssh-* (the directory pattern used for the authorization socket). I've found most other distros are now doing this as well. Accessing ssh-agent is now as simple as "ssh-add" in a terminal, to feed your password to the agent. > After entering my passphrase as part of the login process[1] I can ssh > to boxes all over the world without so much as entering my passphrase > and I'm doing it securely. Of course you need to keep your session > secure if you are doing this (and I certainly do). You can also revoke a password (temporarially) from an agent: $ ssh-add -D # Deletes all identities from the agent $ ssh-add -x # lock agent with password $ ssh-add -X # unlock agent. $ ssh-add -t <life> # Specify lifetime of identities (in seconds) Remember: there are 60 seconds in a minute, 3600 seconds in an hour, and 86,400 seconds in a day. Which I know from memory (nine months spent working with 24-hour, seconds-resolution data....). 604,800 seconds to a week, 2,419,200 seconds per 28 day "month", and 31,536,000 seconds per (standard) year, I have to calculate still.... ssh, RSA authentication, & ssh-agent are lifesavers. Add to them rsync (a fast, efficient, flexible file transfer protocol), screen (a detachable terminal multiplexer), and mc (a curses-based file manager on steroids, including the ability to transfer files back and forth) and you've got the makings of highly doable remote admin. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Necessity knows no law.
signature.asc
Description: Digital signature