Re: How to pass in a password to the ssh command line client?

[Fraser Campbell <fraser@wehave.net>]

On December 26, 2002 08:27 am, the fabulous hugh at atosc dot org wrote:

> Using a ssh key without a passphrase seems to be be a bad idea.
> You need to look on keychain.

Depends on what you are doing but keychain definitely looks interesting 
(haven't given it a try yet).

Looking at the description of keychain I'd still go with a passphraseless key 
though.  I don't want automated scripts failing because a server has rebooted 
and I forgot to run keychain.

The passphraseless key would be severely restricted:

- login only allowed from known host
- key only used in purpose specific case (not for general login)
- key restricted in port forwards allowed
- possibly forcibly running a command on login, allow nothing else

I'm not sure how keychain reduces the risks.  A passphraseless key is mode 
400, root or user-level compromise is required for it to be used in an 
attack.  The same level of compromise would make your keychain setup just as 
vulnerable, right?

Fraser