At George Geller's nice presentation last night, some discussion arose
about the sanity^Wwisdom of using ssh keys without a passphrase.
I always like to find an answer that agrees with everyone ;-), so here
is a tip that some may find useful in cases like this.
0) to avoid a passphrase (for example) for automated jobs, or whatever
your reason, be aware of the risk.
1) consider using a unique key specifically for connection to a given
remote host, in order to limit the risk. Generate via
ssh-keygen -t dsa -f id_dsa_eola
2) for further convenience, make an entry ("stanza") in the per-client
config file ~/.ssh/config, like:
"""
Host x.y.z.t
User george
Compression yes
Protocol 2
RSAAuthentication yes
StrictHostKeyChecking no
ForwardAgent no
ForwardX11 yes
IdentityFile /home/ggeller/.ssh/id_dsa_eola
"""
Note that you can use names and wildcards too, in the host field.
See man ssh_config. In GG's case, he may even want/need a script that
updates the value in the host filed -- that's his problem; this is my
tip. Well, actually, if the host changes a lot, the ~/.ssh/config part
of my tip may not be all that helpful, but paragraph #1 is still valid,
eh? The benefit being that the risk is delimited.
As a further disclaimer, I'm also ignoring the fact that GG is
tunnelling -- adapting my tip to that case is left as "An Exercise
For The Interested Student" (tm).
One can expand this subject endlessly, but I just wanted to point a
practice that some may not have been aware of -- you can more than one
ssh key, and here is one reason you might want to.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
