In-Reply-To: <[EMAIL PROTECTED]> >Subject: SSH Passphrase >From: Stefan Lesicnik <[EMAIL PROTECTED]>
>I have the need to scp a file to a remote server without specifying the >password as it is done from a non-interactive script. >I have accomplished this by generating a dsa key without a passphrase. >Although this works I am worried about the security concerns of doing >this? (Without a passphrase, how does it authenticate? Based on the >machines dsa key which was made from machine specific entropy?) >I know of programs such as ssh-agent, but these require you to enter a >passphrase at the beginning of the session which it then remembers, this >isnt possible as it is non-interactive in my case. Does anyone have any >ideas or comments? > >TIA >Stefan Lesicnik This is probably the worst explanation you'll ever hear about public/private key exchange. Basically, it's not good practice to keep a private key without a passphrase. Why? Because anyone with that key can now sign into your server -- no questions asked. It's like a credit card or bank card -- you want the PIN on it. I can't really explain public/private key exchange that well, it's slightly involved, but I can tell you it makes use of very large floating point computations and modular arithmetic. I know "The Code Book" by Simon Singh (I think that's right) has some more information on this. The way I would conquer your problem would be by creating a new account (one that has very few permissions). You should be able to use the public key with that, although I'd still protect your private key (again, keys to car, bank account, etc.). Then, even if your private key is compromised, the intruder would have very limited access -- only to that one directory you gave the user access to write. Assuming you're making backups, even if something critical was deleted, it could be restored. That's my best recommendation. But please, protect the private key!!! --Doug Kelly [EMAIL PROTECTED]
