Re: ssh question

To: debian-user@lists.debian.org
Subject: Re: ssh question
From: Drake Diedrich <Drake.Diedrich@anu.edu.au>
Date: Mon, 11 May 1998 13:16:55 +1000
Message-id: <[🔎] 19980511131655.A13183@debian.anu.edu.au>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] Pine.SOL.3.96.980510211157.22385B-100000@taurus.cus.cam.ac.uk>; from G. Kapetanios on Sun, May 10, 1998 at 09:15:07PM +0100
References: <[🔎] 19980510152840.A27197@vtech.dyn.ml.org> <[🔎] Pine.SOL.3.96.980510211157.22385B-100000@taurus.cus.cam.ac.uk>

On Sun, May 10, 1998 at 09:15:07PM +0100, G. Kapetanios wrote:
> 
> Thanks for all the replys. The RSA keys method can be made not to ask for
> anything if you put no passphrase, and that is my question. I can do what
> I want without a passphrase. But is this safe ?? 
> The man page of ssh-keygen says that if you put no passphrase YOU SHOULD
> KNOW WHAT YOU ARE DOING. This is the scary bit. The man page does not
> bother to explain what the consequences of no passphrase are. Does anyone
> know ??

   The danger is that someone gaining your private key by any means is able
to log in to any other machine that accepts that key.

   What I do locally is put pass phrases on my private keys, but use
ssh-agent to start the system Xsession script.  Then in .xsession, I run
ssh-add.  Adter ssh-add returns, I try to start remote sessions.

   The following is added to /etc/X11/Xsession just after the
/etc/environment clause:

if [ -x /usr/bin/ssh-agent ] ; then
        if [ -z ${SSH_AGENT_PID} ] ; then
                exec /usr/bin/ssh-agent $0
        fi
fi

   Then in your .xsession file, you may

ssh-add
xtoolwait ssh -n remote.host.name xterm -geometry +0-0 +sb +rv -e mutt -y

   The ssh-agent process will hold the unencrypted private key in RAM, which
is more difficult for an intruder to read than from disk.  The ssh-agent
dies when you log out as well.

   This modification to Xsession has been submitted as part of wishlist
#15085 against xbase, but hasn't been acted on yet.  The above would
probably also work at the top of a .xsession file, but I haven't tested it.

   An alternative is to run ssh-agent and ssh-add from your
.login/.profile files, and save the output (export SSH_*=... lines) to a
temporary file for future sourcing.  Email me if you want bash versions
(they're on an offline machine at the moment).

-Drake

--
Dr. Drake Diedrich, Research Officer - Computing, (02)6279-8302
John Curtin School of Medical Research, Australian National University 0200
Replies to other than Drake.Diedrich@anu.edu.au will be routed off-planet

--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: ssh question
  - From: lee@sectionIV.com (Lee Bradshaw)

References:
- Re: ssh question
  - From: Norbert Veber <nveber@vtech.dyn.ml.org>
- Re: ssh question
  - From: "G. Kapetanios" <gk205@cus.cam.ac.uk>

Prev by Date: Re: Debian 1.3.1 - Netscape 4.05
Next by Date: Re: Memory Checker (RAM)
Previous by thread: Re: ssh question
Next by thread: Re: ssh question
Index(es):
- Date
- Thread