[PLUG] ssh pass phrase authorization

Rich Shepard rshepard at appl-ecosys.com
Thu Feb 17 16:26:51 UTC 2005


On Thu, 17 Feb 2005, Eric Wilhelm wrote:

> Are you using the '-i' option?

   No.

> Try 'ssh-agent bash', then do 'ssh-add .ssh/id_dsa'.  That should force
> the use of that key.  If you still get a password prompt when you try to
> ssh from inside of that shell, it means your public key isn't right on the
> other end (IIRC.)

   I was asked for my passphrase when I ran the second command. But, going to
the remote host required only my password.

> If you have password logins enabled on the server, then using a key isn't
> really more secure, just more convenient if it's a passwordless key.  The
> security advantage of using keys comes when you configure the server to
> disallow password logins, so that only the holder of the private key (who
> also holds the passphrase for that key) can login. This prevents the
> social-engineering/guess-my-mother's-maiden-name type of attack.

   Makes sense. However, in my case I could not get to another host locally
or remotely under this condition. Passwords are useful locally; I'd prefer
to be asked for my passphrase when I'm logging in from a hotel somewhere.

> If you really want to add security when you are away from the office,
> configure the office machine with two ssh servers.  One running on port 22
> and allowing password logins from all users, the other running on port 26
> (or something) with (optionally) only a select list of users allowed to
> login with only dsa keys.  Then get the firewall to forward port 22
> connections to port 26 on that box.  There are some other tricks involved,
> so let me know if you're interested.

   There are only two of us allowed ssh access; that's kept out the riff-raff
running their scripts with the same set of phoney usernames/passwords.

   My firewall is still floppyfw; this weekend I'm going to get the LinkSys
appliance configured and on-line. I don't think I can redirect ports on the
appliance.

   I'll look at public keys everywhere; they're all supposed to be on each
host.

Thanks very much,

Rich

-- 
Dr. Richard B. Shepard, President
Applied Ecosystem Services, Inc. (TM)
<http://www.appl-ecosys.com>   Voice: 503-667-4517   Fax: 503-667-8863



More information about the PLUG mailing list