Am 13.09.2009 um 12:31 schrieb Leif Nixon:
<snip>
This is the way to go. All our systems are set up this way. Works just
fine. You just need a mechanism for maintaining host keys and
ssh_known_hosts. (And remember that this doesn't work for root - you
need separately set up ~root/.shosts and ~root/.ssh/known_hosts if you
want it.)
Oh, and DO NOT USE PASSPHRASE-LESS PRIVATE KEYS!
Do the Internet a service and scan your users' home directories for
passphrase-less private ssh keys. This is as easy as running
# grep -L ENCRYPTED /home/*/.ssh/id_?sa
Delete all such keys that don't have a good reason for existence.
(Yes,
we do so on all our systems.)
I agree. And to have it still convenient between multiple clusters I
guide my students to use just one passphrase protected key and an ssh-
agent in additions. There is nice Howto about it:
http://unixwiz.net/techtips/ssh-agent-forwarding.html
But: even with a passphrase the ssh-key should be protected as much
as possible. Once someone has the private key, any offline brute-
force to get the passphrase won't take long I fear. They could just
try to recreate the public part of the key with: ssh-keygen -y which
is completely offline, as this will also need the passphrase to be
entered.
-- Reuti
_______________________________________________
Beowulf mailing list, Beowulf@beowulf.org sponsored by Penguin Computing
To change your subscription (digest mode or unsubscribe) visit
http://www.beowulf.org/mailman/listinfo/beowulf
