On Tue, 22 Aug 2000, Steve Manuel wrote:
> This is correct but there is one little wrinkle that needs to be addressed.
> When you run ssh-keygen it will create the public/private keypair then ask
> you for a password. You should *not* type a password. Just press the enter
> key. I believe it asks for the password twice so press enter twice. I
> struck me as odd that ssh would ask for a password for something that was
> to automate logging in. However there is a reason.
>
> The idea behind using ssh-keygen is so that you not only have to use a
> password but you also have to have the matching private key of the public
> key on the system you are logging into (this is what is in the
> authorized_keys file). The default usage of ssh only asks for a password
> which means that if I knew your password I could easily login to a remote
> system using 'ssh -l <yourusername> host.domain.com'. However, if you have
> generated the public/private keypair I now *have* to be on the system that
> has that private key because ssh is doing two things: verifying password and
> matching the keys.
>
> The up-shot of all this is if you generate the public/private keypair
> without specifying a password, ssh will just do a keypair check. If they
> match, you're in. If they don't, you're not.
>
The reason for using a pass phrase (it can be loooong) is to protect the
key. If the account with the private key without a pass phrase is
compromised, so is any account that accepts that key (and a quick run
through ~/.ssh/known_hosts will point those out). Anyone (say, root) that
has access to ~/.ssh/identity can hijack that key.
What to do about scripting? Look at man ssh-agent, basically it will allow
the pass phrase to be entered once per login rather than once per ssh
session.
As always, it's a trade-off between security and convenience.
Bill Carlson
------------
Systems Programmer [EMAIL PROTECTED] | Opinions are mine,
Virtual Hospital http://www.vh.org/ | not my employer's.
University of Iowa Hospitals and Clinics |
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
