On Sun, May 10, 1998 at 09:15:07PM +0100, G. Kapetanios wrote:
>
> Thanks for all the replys. The RSA keys method can be made not to ask for
> anything if you put no passphrase, and that is my question. I can do what
> I want without a passphrase. But is this safe ??
> The man page of ssh-keygen says that if you put no passphrase YOU SHOULD
> KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not
> bother to explain what the consequences of no passphrase are. Does anyone
> know ??
The danger is that someone gaining your private key by any means is able
to log in to any other machine that accepts that key.
What I do locally is put pass phrases on my private keys, but use
ssh-agent to start the system Xsession script. Then in .xsession, I run
ssh-add. Adter ssh-add returns, I try to start remote sessions.
The following is added to /etc/X11/Xsession just after the
/etc/environment clause:
if [ -x /usr/bin/ssh-agent ] ; then
if [ -z ${SSH_AGENT_PID} ] ; then
exec /usr/bin/ssh-agent $0
fi
fi
Then in your .xsession file, you may
ssh-add
xtoolwait ssh -n remote.host.name xterm -geometry +0-0 +sb +rv -e mutt -y
The ssh-agent process will hold the unencrypted private key in RAM, which
is more difficult for an intruder to read than from disk. The ssh-agent
dies when you log out as well.
This modification to Xsession has been submitted as part of wishlist
#15085 against xbase, but hasn't been acted on yet. The above would
probably also work at the top of a .xsession file, but I haven't tested it.
An alternative is to run ssh-agent and ssh-add from your
.login/.profile files, and save the output (export SSH_*=... lines) to a
temporary file for future sourcing. Email me if you want bash versions
(they're on an offline machine at the moment).
-Drake
--
Dr. Drake Diedrich, Research Officer - Computing, (02)6279-8302
John Curtin School of Medical Research, Australian National University 0200
Replies to other than [EMAIL PROTECTED] will be routed off-planet
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
