[PLUG] ssh pass phrase authorization
Rich Shepard
rshepard at appl-ecosys.com
Thu Feb 17 16:26:51 UTC 2005
On Thu, 17 Feb 2005, Eric Wilhelm wrote:
> Are you using the '-i' option?
No.
> Try 'ssh-agent bash', then do 'ssh-add .ssh/id_dsa'. That should force
> the use of that key. If you still get a password prompt when you try to
> ssh from inside of that shell, it means your public key isn't right on the
> other end (IIRC.)
I was asked for my passphrase when I ran the second command. But, going to
the remote host required only my password.
> If you have password logins enabled on the server, then using a key isn't
> really more secure, just more convenient if it's a passwordless key. The
> security advantage of using keys comes when you configure the server to
> disallow password logins, so that only the holder of the private key (who
> also holds the passphrase for that key) can login. This prevents the
> social-engineering/guess-my-mother's-maiden-name type of attack.
Makes sense. However, in my case I could not get to another host locally
or remotely under this condition. Passwords are useful locally; I'd prefer
to be asked for my passphrase when I'm logging in from a hotel somewhere.
> If you really want to add security when you are away from the office,
> configure the office machine with two ssh servers. One running on port 22
> and allowing password logins from all users, the other running on port 26
> (or something) with (optionally) only a select list of users allowed to
> login with only dsa keys. Then get the firewall to forward port 22
> connections to port 26 on that box. There are some other tricks involved,
> so let me know if you're interested.
There are only two of us allowed ssh access; that's kept out the riff-raff
running their scripts with the same set of phoney usernames/passwords.
My firewall is still floppyfw; this weekend I'm going to get the LinkSys
appliance configured and on-line. I don't think I can redirect ports on the
appliance.
I'll look at public keys everywhere; they're all supposed to be on each
host.
Thanks very much,
Rich
--
Dr. Richard B. Shepard, President
Applied Ecosystem Services, Inc. (TM)
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863
More information about the PLUG
mailing list