On Sat, Feb 01, 2003 at 12:57:08PM -0800, nate wrote: > will trillich said: > > > at what point are the passphrases required? if passwordless > > login/scp is the objective, where are the passphrases used? > > ssh-agent is designed to prompt you for your passphrase, then > it stores it in memory, and automatically 'inputs' it when you > connect. That is until you logout or reboot or something. I > have never used ssh-agent myself. for my personal account I > use SSH w/passphrase and just input it every time. I use > passphrase-less keys for mostly non interactive stuff. afaik ssh-agent stores the key in memory, not the passphrase (you never give ssh-agent the passphrase, that's from ssh-add). ssh-agent outputs some environment variables that can be inherited by child processes, and then you load in your key with ssh-add or ssh-askpass. all the child processes that get spawned from the process that launched ssh-agent inheret certain env variables that let them know how to communicate with the agent, that then provides the key-based authentication for connections. this process can further be forwarded onto another machine, and the real beauty of it is that on the remote machine nothing is stored other than a socket to talk back to the agent on the home machine. for example, this is in my .xsession, and lets me ssh without a password even though i have a passphrase on my key in any child process of my xsession (xterms, et c.): eval `ssh-agent` ssh-add .ssh/id_dsa </dev/null > running w/o a passphrase is still probably the most common > way to perform automated tasks. that is, stuff from cron etc. true. you can however limit what commands can be executed from authorizing with a specific key. it'd be neat to see some way someone could spawn off cron using ssh-agent, but it'd make boot-up require someone be at the console. > if the system is properly secured the chance of a key getting > compromised is not that great. that's no attitude to take towards security. > on my more secure systems I lock them down to key logins only, > so even if they have my root password or account password they > have no opportunity to input them. right, but if they're storing a passphraseless key on another machine to which someone else has root, that someone else now has access to your machine too. if that's your root key... sean
Attachment:
pgpqk5fbTFyK5.pgp
Description: PGP signature