Re: ssh question
On Sun, 10 May 1998, G. Kapetanios wrote:
> Thanks for all the replys. The RSA keys method can be made not to ask for
> anything if you put no passphrase, and that is my question. I can do what
> I want without a passphrase. But is this safe ??
> The man page of ssh-keygen says that if you put no passphrase YOU SHOULD
> KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not
> bother to explain what the consequences of no passphrase are. Does anyone
> know ??
>From my understanding (which is far from complete) ssh does its
main authentication via two public/private keys (one for the server and
one for the client). When you first connect via ssh there is a
chalenge/answer session that goes on so that the server can confirm the
identity of the client. Once this is confimed the session is encrypted
and from there it is just like rsh. So the passphrase prompt you see is
the same as you would get when using rsh from an untrusted client.
Thus if the client truely is a 'trusted' host then you can set it up so
that you don't need to enter the passphrase. This is alot safer than
using rsh from a 'trusted' host, as you are not open to spoof attacks
(where some other machine pretends to be the trusted host).
On the other hand, I'm sure there are some *extremely* complicated ways to
abuse the trust of the server to gain entry to the system from somewhere
else - but if you trust your network enough to use rsh with no passphrase,
then you will have no worries about using ssh with no passphrase.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org