On Sun, 10 May 1998, G. Kapetanios wrote:
> > Thanks for all the replys. The RSA keys method can be made not to ask for > anything if you put no passphrase, and that is my question. I can do what > I want without a passphrase. But is this safe ?? > The man page of ssh-keygen says that if you put no passphrase YOU SHOULD > KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not > bother to explain what the consequences of no passphrase are. Does anyone > know ?? > Thanks > George >From my understanding (which is far from complete) ssh does its main authentication via two public/private keys (one for the server and one for the client). When you first connect via ssh there is a chalenge/answer session that goes on so that the server can confirm the identity of the client. Once this is confimed the session is encrypted and from there it is just like rsh. So the passphrase prompt you see is the same as you would get when using rsh from an untrusted client. Thus if the client truely is a 'trusted' host then you can set it up so that you don't need to enter the passphrase. This is alot safer than using rsh from a 'trusted' host, as you are not open to spoof attacks (where some other machine pretends to be the trusted host). On the other hand, I'm sure there are some *extremely* complicated ways to abuse the trust of the server to gain entry to the system from somewhere else - but if you trust your network enough to use rsh with no passphrase, then you will have no worries about using ssh with no passphrase. Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
