Re: remote login advice

To: debian-user@lists.debian.org
Subject: Re: remote login advice
From: Ethan Benson <erbenson@alaska.net>
Date: Thu, 9 Nov 2000 18:23:44 -0900
Message-id: <[🔎] 20001109182344.H4577@plato.local.lan>
In-reply-to: <[🔎] 20001110133702.A8643@empire.net.au>; from dm-debian-user@empire.net.au on Fri, Nov 10, 2000 at 01:37:02PM +1100
References: <[🔎] 3A0AB9B5.28F892D5@yahoo.com> <[🔎] 87n1f828rv.fsf@gryffindor.sc> <[🔎] 20001110133702.A8643@empire.net.au>

On Fri, Nov 10, 2000 at 01:37:02PM +1100, Damon Muller wrote:
> Quoth Moritz Schulte, 
> > SSH (Secure SHell) is a very nice telnet replacement, which uses
> > encryption and keys. Try apt-get install ssh...
> 
> I'll second this and add something to it.
> 
> If you have ssh running on both the laptop and desktop, you can set up
> ssh to use public key verification, so you don't need a password.

yes its called ssh-agent.

> on the laptop, run `ssh-keygen', leaving the password blank[1]. That

don't do that, use ssh-agent instead, then you only enter the password
for the key once and it lasts until you logout of you local session. 

> should create a file called `~/.ssh/identity.pub'. Copy that file to the
> desktop (eg., scp ~/.ssh/identity.pub desktop:/tmp), and add the
> contents of the file to ~/.ssh/authorized_keys (note the bonehead
> American spelling of `authorized'), possibly by doing `cat
> /tmp/identity.pub >> ~/.ssh/authorized_keys'.

and probably chmod -R go= ~/.ssh ; chmod g-w ~  due to common
boneheaded default permissions/umasks.

> Note that to do this, sshd must be suid root (I think), but you can't
> log in as root (as you shouldn't, log in as a non-priveleged user and
> use su or sudo).

sshd suid root?  eh no, /usr/bin/ssh also need not be suid root (and
should not be) the only time you need ssh to be suid root is if you
use the evil .rhosts authentication, or its slightly better .shosts.
pure RSA is far superior to both though so you should never need to
enable .rhosts.  

> [1] There are security implications to this, but I find the convinience
> outweighs any (small) danger.

ah but you can have BOTH security and convenience:

when you login to a text terminal:

exec ssh-agent bash
ssh-add .ssh/identity
[enter your key passphrase]
ssh hostname 
[logged in without typing any password/passphrase]

in X is even cooler, add this to your ~/.xsession:

export SSH_ASKPASS=/usr/bin/ssh-askpass
[ -n "$SSH_AUTH_SOCK" ] && chmod 600 "$SSH_AUTH_SOCK"
sleep 4 && /usr/bin/ssh-add ~/.ssh/identity.plato &

then you get a graphical dialog asking for your ssh key passphrase,
once you enter it all your xterms rxvts whatever will be able to ssh
without passwords.  though arguably this could be risky if you run
flaky software like netscape, perhaps it would be a good idea to add
`unset SSH_AUTH_SOCK' to the netscape wrapper script.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgp2EN5h8lU1J.pgp
Description: PGP signature

Reply to:

References:
- remote login advice
  - From: Andrew Dwight Dixon <andrew_dwight_dixon@yahoo.com>
- Re: remote login advice
  - From: Moritz Schulte <tux@gmx.li>
- Re: remote login advice
  - From: Damon Muller <dm-debian-user@empire.net.au>

Prev by Date: Re: sound in pysol fails
Next by Date: Installing Debian (Potato) did not install kernel source...
Previous by thread: Re: remote login advice
Next by thread: Re: remote login advice / bonehead spelling [OT]
Index(es):
- Date
- Thread